Squashed commit of the following:
commit
e50bf65a7c4c0ad53abe230fec94e7f053afb9d9
Author: Katura Harvey <katharve@cisco.com>
Date: Fri Aug 13 12:18:53 2021 -0400
http_inspect: add builtin rule for consecutive commas in accept-encoding header
INF_JS_TMPL_NEST_OVFLOW,
INF_CHUNK_OVER_MAXIMUM,
INF_LONG_HOST_VALUE,
+ INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS,
INF__MAX_VALUE
};
EVENT_JS_SHORTENED_TAG = 269,
EVENT_JS_IDENTIFIER_OVERFLOW = 270,
EVENT_JS_TMPL_NEST_OVFLOW = 271,
+ EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS = 272,
EVENT__MAX_VALUE
};
}
while (consumed != -1);
}
+
+ // Check for an empty value in Accept-Encoding (two consecutive commas)
+ if (has_consecutive_commas(get_header_value_norm(HEAD_ACCEPT_ENCODING)))
+ {
+ add_infraction(INF_ACCEPT_ENCODING_CONSECUTIVE_COMMAS);
+ create_event(EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS);
+ }
+
}
void HttpMsgHeader::update_flow()
last_start++;
last_token.set(input.length() - (last_start - input.start()), last_start);
}
+
+bool has_consecutive_commas(const Field& input)
+{
+ for (int32_t k = 0; k + 1 < input.length(); k++)
+ {
+ if ((input.start()[k] == ',') && (input.start()[k+1] == ','))
+ return true;
+ }
+ return false;
+}
// Other normalization-related utilities
void get_last_token(const Field& input, Field& last_token, char ichar);
int64_t norm_decimal_integer(const Field& input);
+bool has_consecutive_commas(const Field& input);
#endif
{ EVENT_JS_SHORTENED_TAG, "script opening tag in a short form" },
{ EVENT_JS_IDENTIFIER_OVERFLOW, "max number of unique JavaScript identifiers reached" },
{ EVENT_JS_TMPL_NEST_OVFLOW, "JavaScript template literal nesting is over capacity" },
+ { EVENT_ACCEPT_ENCODING_CONSECUTIVE_COMMAS, "Consecutive commas in HTTP Accept-Encoding "
+ "header" },
{ 0, nullptr }
};
projects / thirdparty / snort3.git / commitdiff
