You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2014/11/18 18:12:34 UTC
[jira] [Commented] (TS-3202) HTTP Parsing should not allow CTL
characters in the method
[ https://issues.apache.org/jira/browse/TS-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216441#comment-14216441 ]
ASF GitHub Bot commented on TS-3202:
------------------------------------
GitHub user shinrich opened a pull request:
https://github.com/apache/trafficserver/pull/149
TS-3202: Fail the parse if a CTL character is found in the method.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shinrich/trafficserver ts-3203
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/149.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #149
----
commit f4022685e9df37e215db4df9bcc2196af97933b2
Author: shinrich <sh...@network-geographics.com>
Date: 2014-11-18T17:03:22Z
TS-3202: Fail the parse if a CTL character is found in the method.
----
> HTTP Parsing should not allow CTL characters in the method
> ----------------------------------------------------------
>
> Key: TS-3202
> URL: https://issues.apache.org/jira/browse/TS-3202
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
>
> http_parser_parse_req() will mark a series of bytes as a correctly parsed HTTP request if it meets the following constraints.
> <bytes excluding white space>+ <white space>+ <bytes excluding white space>+\n
> The first set of bytes is the method. The current code will match a bunch of control characters as a valid method (found via a case in production). Assuming the second set of bytes does not contain a valid domain name, the processing will eventually fail and return to the client a message about not being able to resolve the DNS address, which is confusing.
> Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for what characters can form a method token. From my reading, a method can be any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), and any character but white space and control characters are allowed to be in a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).
> To improve the accuracy of our processing (and the accuracy of our error messages), I'd like to change the parsing of the method token in http_parser_parse_req() to restrict control characters from the method token as well as the white space characters.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)