]> git.ipfire.org Git - thirdparty/squid.git/commit - CONTRIBUTORS
projects / thirdparty / squid.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a586085) | patch
Validate Content-Length value prefix (#629)
authorAlex Rousskov <rousskov@measurement-factory.com>
Wed, 13 May 2020 14:05:00 +0000 (14:05 +0000)
committerSquid Anubis <squid-anubis@squid-cache.org>
Wed, 13 May 2020 16:19:21 +0000 (16:19 +0000)
commit9fcf5206651e7c896b74695422e994ede45db319
treed527cf03f943bff60d35dfa896aa59c481e76c0dtree | snapshot
parenta58608546341c5d2f53f7a4798ae464921961d9fcommit | diff
Validate Content-Length value prefix (#629)

The new code detects all invalid Content-Length prefixes but the old
code was already rejecting most invalid prefixes using strtoll(). The
newly covered (and now rejected) invalid characters are

* explicit "+" sign;
* explicit "-" sign in "-0" values;
* isspace(3) characters that are not (relaxed) OWS characters.

In most deployment environments, the last set is probably empty because
the relaxed OWS set has all the POSIX/C isspace(3) characters but the
new line, and the new line is unlikely to sneak in past other checks.

Thank you, Amit Klein <amit.klein@safebreach.com>, for elevating the
importance of this 2016 TODO (added in commit a1b9ec2).
CONTRIBUTORS diff | blob | blame | history
src/http/ContentLengthInterpreter.cc diff | blob | blame | history
src/http/ContentLengthInterpreter.h diff | blob | blame | history
Mirror of https://github.com/squid-cache/squid.git