From: William A. Rowe Jr Date: Thu, 18 Aug 2016 20:26:53 +0000 (+0000) Subject: Correct request header handling of whitespace with the new possible config of X-Git-Tag: 2.5.0-alpha~1256 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc0d9fa11e66dc80ead856b6902db8d9c1e40dc7;p=thirdparty%2Fapache%2Fhttpd.git Correct request header handling of whitespace with the new possible config of HttpProtocolOptions Unsafe StrictWhitespace I have elected not to preserve any significance to excess whitespace in the now-deprecated obs-fold code path, that's certainly open for discussion. This can be reviewed by tweaking t/conf/extra.conf to switch Strict to Unsafe. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756847 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/server/protocol.c b/server/protocol.c index ed1ff100a63..094dc88a40c 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -878,6 +878,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb char *tmp_field; core_server_config *conf = ap_get_core_module_config(r->server->module_config); int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); + int strictspaces = (conf->http_whitespace == AP_HTTP_WHITESPACE_STRICT); /* * Read header lines until we get the empty separator line, a read error, @@ -988,7 +989,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb } memcpy(last_field + last_len, field, len +1); /* +1 for nul */ /* Replace obs-fold w/ SP per RFC 7230 3.2.4 */ - if (strict) { + if (strict || strictspaces) { last_field[last_len] = ' '; } last_len += len; @@ -1017,9 +1018,23 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb return; } - if (!strict) { + if (!strict) + { /* Not Strict ('Unsafe' mode), using the legacy parser */ + if (strictspaces && strpbrk(last_field, "\n\v\f\r")) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03451) + "Request header presented bad whitespace " + "(disallowed by StrictWhitespace)"); + return; + } + else { + char *ll = last_field; + while ((ll = strpbrk(ll, "\n\v\f\r"))) + *(ll++) = ' '; + } + if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564) @@ -1029,10 +1044,19 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb return; } - tmp_field = value - 1; /* last character of field-name */ + /* last character of field-name */ + tmp_field = value - (value > last_field ? 1 : 0); *value++ = '\0'; /* NUL-terminate at colon */ + if (strictspaces && strpbrk(last_field, " \t")) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03452) + "Request header field name with whitespace " + "(disallowed by StrictWhitespace)"); + return; + } + while (*value == ' ' || *value == '\t') { ++value; /* Skip to start of value */ } @@ -1040,7 +1064,14 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* Strip LWS after field-name: */ while (tmp_field > last_field && (*tmp_field == ' ' || *tmp_field == '\t')) { - *tmp_field-- = '\0'; + *(tmp_field--) = '\0'; + } + + if (tmp_field == last_field) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03453) + "Request header field name was empty"); + return; } } else /* Using strict RFC7230 parsing */