You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Susan Hinrichs (JIRA)" <ji...@apache.org> on 2014/11/18 16:51:33 UTC

[jira] [Created] (TS-3202) HTTP Parsing should not allow CTL characters in the method

Susan Hinrichs created TS-3202:
----------------------------------

             Summary: HTTP Parsing should not allow CTL characters in the method
                 Key: TS-3202
                 URL: https://issues.apache.org/jira/browse/TS-3202
             Project: Traffic Server
          Issue Type: Bug
            Reporter: Susan Hinrichs


http_parser_parse_req() will mark a series of bytes as a correctly parsed HTTP request if it meets the following constraints.

<bytes excluding white space>+  <white space>+ <bytes excluding white space>+\n

The first set of bytes is the method.  The current code will match a bunch of control characters as a valid method (found via a case in production).  Assuming the second set of bytes does not contain a valid domain name, the processing will eventually fail and return to the client a message about not being able to resolve the DNS address, which is confusing.

Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for what characters can form a method token.  From my reading, a method can be any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), and any character but white space and control characters are allowed to be in a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).

To improve the accuracy of our processing (and the accuracy of our error messages), I'd like to change the parsing of the method token in http_parser_parse_req() to restrict control characters from the method token as well as the white space characters. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)