From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 18 Mar 2022 21:54:59 +0000 (+0100)
Subject: http: return error on colon-less HTTP headers
X-Git-Tag: curl-7_83_0~134
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcdf2e8a3613d969b0d931dc70838b2fea493931;p=thirdparty%2Fcurl.git

http: return error on colon-less HTTP headers

It's a protocol violation and accepting them leads to no good.

Add test case 398 to verify

Closes #8610
---

diff --git a/lib/http.c b/lib/http.c
index bc030ddb7f..f5075c98a2 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3775,6 +3775,29 @@ CURLcode Curl_http_size(struct Curl_easy *data)
   return CURLE_OK;
 }
 
+static CURLcode verify_header(struct Curl_easy *data)
+{
+  struct SingleRequest *k = &data->req;
+  const char *header = Curl_dyn_ptr(&data->state.headerb);
+  size_t hlen = Curl_dyn_len(&data->state.headerb);
+  char *ptr = memchr(header, 0x00, hlen);
+  if(ptr) {
+    /* this is bad, bail out */
+    failf(data, "Nul byte in header");
+    return CURLE_WEIRD_SERVER_REPLY;
+  }
+  if(k->headerline < 2)
+    /* the first "header" is the status-line and it has no colon */
+    return CURLE_OK;
+  ptr = memchr(header, ':', hlen);
+  if(!ptr) {
+    /* this is bad, bail out */
+    failf(data, "Header without semicolon");
+    return CURLE_WEIRD_SERVER_REPLY;
+  }
+  return CURLE_OK;
+}
+
 /*
  * Read any HTTP header lines from the server and pass them to the client app.
  */
@@ -4283,12 +4306,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
       }
     }
 
-    end_ptr = memchr(headp, 0x00, Curl_dyn_len(&data->state.headerb));
-    if(end_ptr) {
-      /* this is bad, bail out */
-      failf(data, "Nul byte in header");
-      return CURLE_WEIRD_SERVER_REPLY;
-    }
+    result = verify_header(data);
+    if(result)
+      return result;
 
     result = Curl_http_header(data, conn, headp);
     if(result)
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index a7a42d2953..c16e5b1da8 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -65,7 +65,7 @@ test370 test371 test372 test373 test374 test375 test376 \
 \
 test380 test381 test383 test384 test385 test386 \
 \
-test392 test393 test394 test395 test396 test397 \
+test392 test393 test394 test395 test396 test397 test398 \
 \
 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
 test409 test410 \
diff --git a/tests/data/test398 b/tests/data/test398
new file mode 100644
index 0000000000..b949064d29
--- /dev/null
+++ b/tests/data/test398
@@ -0,0 +1,64 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+hello
+</data>
+<datacheck>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Reject HTTP/1.1 response with colon-less header
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+%if hyper
+1
+%else
+8
+%endif
+</errorcode>
+</verify>
+</testcase>