J. K.(openbsd.l...@krottmayer.com) on 2021.10.21 11:55:47 +0200: > Hi, > > I don't know if this is a real issue from OpenBSD's httpd(8). > Tried some requests to httpd(8) for the purpose of education. > > Simple tried the following request: > > $ telnet 10.42.42.183 80 > Trying 10.42.42.183... > Connected to 10.42.42.183. > Escape character is '^]'. > GET / HTTP/1.1 > fasfsdfsfd > > Here without the colon httpd(8) return an internal server > error. > > Can somebody verify this behavior? > > Noticed with OpenBSD 7.0. Is this a correct behavior (RFC > conform)? > > Thanks in advance! > > Kind regrads, > > J. K.
Hi, yes. The server should probably answer with a "Bad Request" instead. Fix below. ok? diff --git usr.sbin/httpd/server_http.c usr.sbin/httpd/server_http.c index 732add41283..fce3c21af72 100644 --- usr.sbin/httpd/server_http.c +++ usr.sbin/httpd/server_http.c @@ -268,8 +268,14 @@ server_read_http(struct bufferevent *bev, void *arg) else if (*key == ' ' || *key == '\t') /* Multiline headers wrap with a space or tab */ value = NULL; - else + else { + /* Not a multiline header, should have a : */ value = strchr(key, ':'); + if (value == NULL) { + server_abort_http(clt, 400, "malformed"); + goto abort; + } + } if (value == NULL) { if (clt->clt_line == 1) { server_abort_http(clt, 400, "malformed");