From: William A. Rowe Jr Date: Mon, 14 Nov 2016 17:07:40 +0000 (+0000) Subject: Drop unused, previously sscanf() target variables X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b812029c126e07a8fc4a5f4c7f27d42d3fe6ed3;p=thirdparty%2Fapache%2Fhttpd.git Drop unused, previously sscanf() target variables Submitted by: wrowe Backport: r1756821 Drop redundant == --rrl_none evaluation Submitted by: rpluem Backport: r1756823 server/protocol.c (read_request_line): Fix compiler warnings with GCC. Submitted by: jorton Backport: r1756824 Correct request header handling of whitespace with the new possible config of HttpProtocolOptions Unsafe StrictWhitespace I have elected not to preserve any significance to excess whitespace in the now-deprecated obs-fold code path, that's certainly open for discussion. This can be reviewed by tweaking t/conf/extra.conf to switch Strict to Unsafe. Submitted by: wrowe Backport: r1756847 A band-aid to resolve an immediate IBM MVS'ism Submitted by: wrowe Backport: r1756849 Resolve Netware (and other arch) build error for non-portable isascii() Submitted by: wrowe Backport: r1756934 Generally, the cart comes before the horse, this mirrors apr_lib.h Submitted by: wrowe Backport: r1756937 After lengthy investigation with covener's assistance, it seems we cannot use a static table. We cannot change this to dynamic use of the local iconv without build changes to avoid such use on cross-platform builds. I'm satisfied if we trust iscntrl to at least catch all the most lethal C0 Ctrls (we are promised it catches bad carriage control/line endings) and leave this in the short term with an XXX to revisit at a future time. The token stop never needed this table, because we can use the affirmative list of token characters to define it. Submitted by: wrowe, covener Backport: r1756946 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1769664 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/server/gen_test_char.c b/server/gen_test_char.c index 9e55bad6c40..046f47b51bb 100644 --- a/server/gen_test_char.c +++ b/server/gen_test_char.c @@ -16,12 +16,11 @@ #ifdef CROSS_COMPILE +#include #define apr_isalnum(c) (isalnum(((unsigned char)(c)))) #define apr_isalpha(c) (isalpha(((unsigned char)(c)))) #define apr_iscntrl(c) (iscntrl(((unsigned char)(c)))) #define apr_isprint(c) (isprint(((unsigned char)(c)))) -#define apr_isascii(c) (isascii(((unsigned char)(c)))) -#include #define APR_HAVE_STDIO_H 1 #define APR_HAVE_STRING_H 1 @@ -32,48 +31,6 @@ #endif -#if APR_CHARSET_EBCDIC -/* See util.c for complete explanation of this table */ -static const short ucharmap[] = { - 0x00, 0x01, 0x02, 0x03, 0x9C, 0x09, 0x86, 0x7F, - 0x97, 0x8D, 0x8E, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - 0x10, 0x11, 0x12, 0x13, 0x9D, 0x85, 0x08, 0x87, - 0x18, 0x19, 0x92, 0x8F, 0x1C, 0x1D, 0x1E, 0x1F, - 0x80, 0x81, 0x82, 0x83, 0x84, 0x0A, 0x17, 0x1B, - 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x05, 0x06, 0x07, - 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, - 0x98, 0x99, 0x9A, 0x9B, 0x14, 0x15, 0x9E, 0x1A, - 0x20, 0xA0, 0xE2, 0xE4, 0xE0, 0xE1, 0xE3, 0xE5, - 0xE7, 0xF1, 0xA2, 0x2E, 0x3C, 0x28, 0x2B, 0x7C, - 0x26, 0xE9, 0xEA, 0xEB, 0xE8, 0xED, 0xEE, 0xEF, - 0xEC, 0xDF, 0x21, 0x24, 0x2A, 0x29, 0x3B, 0xAC, - 0x2D, 0x2F, 0xC2, 0xC4, 0xC0, 0xC1, 0xC3, 0xC5, - 0xC7, 0xD1, 0xA6, 0x2C, 0x25, 0x5F, 0x3E, 0x3F, - 0xF8, 0xC9, 0xCA, 0xCB, 0xC8, 0xCD, 0xCE, 0xCF, - 0xCC, 0x60, 0x3A, 0x23, 0x40, 0x27, 0x3D, 0x22, - 0xD8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, - 0x68, 0x69, 0xAB, 0xBB, 0xF0, 0xFD, 0xFE, 0xB1, - 0xB0, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, - 0x71, 0x72, 0xAA, 0xBA, 0xE6, 0xB8, 0xC6, 0xA4, - 0xB5, 0x7E, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, - 0x79, 0x7A, 0xA1, 0xBF, 0xD0, 0xDD, 0xDE, 0xAE, - 0x5E, 0xA3, 0xA5, 0xB7, 0xA9, 0xA7, 0xB6, 0xBC, - 0xBD, 0xBE, 0x5B, 0x5D, 0xAF, 0xA8, 0xB4, 0xD7, - 0x7B, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, - 0x68, 0x69, 0xAD, 0xF4, 0xF6, 0xF2, 0xF3, 0xF5, - 0x7D, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, - 0x71, 0x72, 0xB9, 0xFB, 0xFC, 0xF9, 0xFA, 0xFF, - 0x5C, 0xF7, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, - 0x79, 0x7A, 0xB2, 0xD4, 0xD6, 0xD2, 0xD3, 0xD5, - 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, - 0x38, 0x39, 0xB3, 0xDB, 0xDC, 0xD9, 0xDA, 0x9F -}; -#define test_isascii_equiv(c) ((ucharmap[(unsigned char)c] & ~0x7f) == 0) -#else -#define test_isascii_equiv(c) apr_isascii(c) -#endif - - #if defined(WIN32) || defined(OS2) #define NEED_ENHANCED_ESCAPES #endif @@ -162,21 +119,20 @@ int main(int argc, char *argv[]) } /* Stop for any non-'token' character, including ctrls, obs-text, - * and "tspecials" (RFC2068) a.k.a. "separators" (RFC2616) - * XXX: We need to verify that ASCII C0 ctrls/DEL in our EBCDIC table - * are captured by apr_iscntrl() + * and "tspecials" (RFC2068) a.k.a. "separators" (RFC2616), which + * is easer to express as characters remaining in the ASCII token set */ - if (!c || apr_iscntrl(c) || strchr(" \t()<>@,;:\\\"/[]?={}", c) - || !test_isascii_equiv(c)) { + if (!(apr_isalnum(c) || strchr("!#$%&'*+-.^_`|~", c))) { flags |= T_HTTP_TOKEN_STOP; } /* Catch CTRLs other than VCHAR, HT and SP, and obs-text (RFC7230 3.2) * This includes only the C0 plane, not C1 (which is obs-text itself.) - * XXX: We need to verify that ASCII C0 ctrls/DEL in our EBCDIC table - * are captured by apr_iscntrl() + * XXX: We should verify that all ASCII C0 ctrls/DEL corresponding to + * the current EBCDIC translation are captured, and ASCII C1 ctrls + * corresponding are all permitted (as they fall under obs-text rule) */ - if (!c || (apr_iscntrl(c) && c != '\t' && test_isascii_equiv(c))) { + if (!c || (apr_iscntrl(c) && c != '\t')) { flags |= T_HTTP_CTRLS; } diff --git a/server/protocol.c b/server/protocol.c index e861b418d4a..b7844554571 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -577,8 +577,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) } deferred_error = rrl_none; char *ll; char *uri; - unsigned int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */ - char http[5]; apr_size_t len; int num_blank_lines = DEFAULT_LIMIT_BLANK_LINES; core_server_config *conf = ap_get_core_module_config(r->server->module_config); @@ -670,7 +668,7 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) deferred_error = rrl_excesswhitespace; } for (uri = ll; apr_isspace(*uri); ++uri) - if (strchr(badwhitespace, *uri) && deferred_error == rrl_none) + if (ap_strchr_c(badwhitespace, *uri) && deferred_error == rrl_none) deferred_error = rrl_badwhitespace; *ll = '\0'; if (!*uri && deferred_error == rrl_none) @@ -682,8 +680,7 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) goto rrl_done; } for (r->protocol = ll; apr_isspace(*r->protocol); ++r->protocol) - if (strchr(badwhitespace, *r->protocol) && deferred_error == rrl_none - && deferred_error == rrl_none) + if (ap_strchr_c(badwhitespace, *r->protocol) && deferred_error == rrl_none) deferred_error = rrl_badwhitespace; *ll = '\0'; if (!(ll = strpbrk(r->protocol, " \t\n\v\f\r"))) { @@ -694,7 +691,7 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) if (strictspaces && *ll) deferred_error = rrl_excesswhitespace; for ( ; apr_isspace(*ll); ++ll) - if (strchr(badwhitespace, *ll) && deferred_error == rrl_none) + if (ap_strchr_c(badwhitespace, *ll) && deferred_error == rrl_none) deferred_error = rrl_badwhitespace; if (*ll && deferred_error == rrl_none) deferred_error = rrl_trailingtext; @@ -881,6 +878,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb char *tmp_field; core_server_config *conf = ap_get_core_module_config(r->server->module_config); int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); + int strictspaces = (conf->http_whitespace == AP_HTTP_WHITESPACE_STRICT); /* * Read header lines until we get the empty separator line, a read error, @@ -993,7 +991,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb } memcpy(last_field + last_len, field, len +1); /* +1 for nul */ /* Replace obs-fold w/ SP per RFC 7230 3.2.4 */ - if (strict) { + if (strict || strictspaces) { last_field[last_len] = ' '; } last_len += len; @@ -1022,9 +1020,23 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb return; } - if (!strict) { + if (!strict) + { /* Not Strict ('Unsafe' mode), using the legacy parser */ + if (strictspaces && strpbrk(last_field, "\n\v\f\r")) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03451) + "Request header presented bad whitespace " + "(disallowed by StrictWhitespace)"); + return; + } + else { + char *ll = last_field; + while ((ll = strpbrk(ll, "\n\v\f\r"))) + *(ll++) = ' '; + } + if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564) @@ -1034,10 +1046,19 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb return; } - tmp_field = value - 1; /* last character of field-name */ + /* last character of field-name */ + tmp_field = value - (value > last_field ? 1 : 0); *value++ = '\0'; /* NUL-terminate at colon */ + if (strictspaces && strpbrk(last_field, " \t")) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03452) + "Request header field name with whitespace " + "(disallowed by StrictWhitespace)"); + return; + } + while (*value == ' ' || *value == '\t') { ++value; /* Skip to start of value */ } @@ -1045,7 +1066,14 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* Strip LWS after field-name: */ while (tmp_field > last_field && (*tmp_field == ' ' || *tmp_field == '\t')) { - *tmp_field-- = '\0'; + *(tmp_field--) = '\0'; + } + + if (tmp_field == last_field) { + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03453) + "Request header field name was empty"); + return; } } else /* Using strict RFC7230 parsing */