You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2014/11/18 18:12:34 UTC

[jira] [Commented] (TS-3202) HTTP Parsing should not allow CTL characters in the method

    [ https://issues.apache.org/jira/browse/TS-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216441#comment-14216441 ] 

ASF GitHub Bot commented on TS-3202:
------------------------------------

GitHub user shinrich opened a pull request:

    https://github.com/apache/trafficserver/pull/149

    TS-3202: Fail the parse if a CTL character is found in the method.

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shinrich/trafficserver ts-3203

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/149.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #149
    
----
commit f4022685e9df37e215db4df9bcc2196af97933b2
Author: shinrich <sh...@network-geographics.com>
Date:   2014-11-18T17:03:22Z

    TS-3202: Fail the parse if a CTL character is found in the method.

----


> HTTP Parsing should not allow CTL characters in the method
> ----------------------------------------------------------
>
>                 Key: TS-3202
>                 URL: https://issues.apache.org/jira/browse/TS-3202
>             Project: Traffic Server
>          Issue Type: Bug
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>
> http_parser_parse_req() will mark a series of bytes as a correctly parsed HTTP request if it meets the following constraints.
> <bytes excluding white space>+  <white space>+ <bytes excluding white space>+\n
> The first set of bytes is the method.  The current code will match a bunch of control characters as a valid method (found via a case in production).  Assuming the second set of bytes does not contain a valid domain name, the processing will eventually fail and return to the client a message about not being able to resolve the DNS address, which is confusing.
> Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for what characters can form a method token.  From my reading, a method can be any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), and any character but white space and control characters are allowed to be in a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).
> To improve the accuracy of our processing (and the accuracy of our error messages), I'd like to change the parsing of the method token in http_parser_parse_req() to restrict control characters from the method token as well as the white space characters. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)