Ticket: #6426
as per RFC 9113
":authority" MUST NOT include the deprecated userinfo subcomponent
for "http" or "https" schemed URIs.
alert http2 any any -> any any (msg:"SURICATA HTTP2 variable-length integer overflow"; flow:established; app-layer-event:http2.header_integer_overflow; classtype:protocol-command-decode; sid:2290011; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:established; app-layer-event:http2.too_many_streams; classtype:protocol-command-decode; sid:2290012; rev:1;)
alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;)
self.decoder.http2_encoding_fromvec(&block.value, dir);
} else if block.name.eq_ignore_ascii_case(b":authority") {
authority = Some(&block.value);
+ if block.value.iter().any(|&x| x == b'@') {
+ // it is forbidden by RFC 9113 to have userinfo in this field
+ // when in HTTP1 we can have user:password@domain.com
+ self.set_event(HTTP2Event::UserinfoInUri);
+ }
} else if block.name.eq_ignore_ascii_case(b"host") {
host = Some(&block.value);
}
HeaderIntegerOverflow,
TooManyStreams,
AuthorityHostMismatch,
+ UserinfoInUri,
}
pub struct HTTP2DynTable {
projects / thirdparty / suricata.git / commitdiff
