Hi,
If a client sends a bogus request with an unknown method or no http version
string, httpd currently grabs the last error with strerror(), this patch causes
it to call server_abort_http() directly with a more explicit error message:
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.54
diff -u -p -r1.54 server_http.c
--- server_http.c 25 Oct 2014 03:23:49 -0000 1.54
+++ server_http.c 28 Nov 2014 15:37:51 -0000
@@ -216,8 +216,10 @@ server_read_http(struct bufferevent *bev
*/
if (clt->clt_line == 1) {
if ((desc->http_method = server_httpmethod_byname(key))
- == HTTP_METHOD_NONE)
- goto fail;
+ == HTTP_METHOD_NONE) {
+ server_abort_http(clt, 501, "unknown method");
+ return
+ }
/*
* Decode request path and query
@@ -230,7 +232,8 @@ server_read_http(struct bufferevent *bev
desc->http_version = strchr(desc->http_path, ' ');
if (desc->http_version == NULL) {
free(line);
- goto fail;
+ server_abort_http(clt, 500, "no http version");
+ return;
}
*desc->http_version++ = '\0';
desc->http_query = strchr(desc->http_path, '?');
