From: Mike Stepanek (mstepane) Date: Fri, 10 Apr 2020 19:35:59 +0000 (+0000) Subject: Merge pull request #2145 in SNORT/snort3 from ~DERAMADA/snort3:hi_http_uri_fragment... X-Git-Tag: 3.0.1-2~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b84753c4c61b5c3c9651f62775f023925cee2fc8;p=thirdparty%2Fsnort3.git Merge pull request #2145 in SNORT/snort3 from ~DERAMADA/snort3:hi_http_uri_fragment to master Squashed commit of the following: commit 54f33541eeb50c01b81671321e32f03551d9f19b Author: deramada Date: Fri Apr 10 09:17:24 2020 -0400 http_inspect: add fragment to http_uri --- diff --git a/doc/http_inspect.txt b/doc/http_inspect.txt index 4fb7e587a..20768244e 100644 --- a/doc/http_inspect.txt +++ b/doc/http_inspect.txt @@ -359,9 +359,10 @@ http_uri represents the normalized uri, normalization of components depends on uri type. If the uri is of type absolute (contains all six components) or absolute path (contains path, query and fragment) then the path and query components are normalized. In these cases, http_uri represents the normalized -path and query (/path?query). If the uri is of type authority (host and port), -the host is normalized and http_uri represents the normalized host with the port -number. In all other cases http_uri is the same as http_raw_uri. +path, query, and fragment (/path?query#fragment). If the uri is of type +authority (host and port), the host is normalized and http_uri represents the +normalized host with the port number. In all other cases http_uri is the same +as http_raw_uri. Note: this section uses informal language to explain some things. Nothing here is intended to conflict with the technical language of the HTTP RFCs diff --git a/src/service_inspectors/http_inspect/http_uri.cc b/src/service_inspectors/http_inspect/http_uri.cc index ad7207154..f92cb465e 100644 --- a/src/service_inspectors/http_inspect/http_uri.cc +++ b/src/service_inspectors/http_inspect/http_uri.cc @@ -243,17 +243,26 @@ void HttpUri::normalize() UriNormalizer::need_norm(query, false, uri_param, infractions, events)) *infractions += INF_URI_NEED_NORM_QUERY; - if (!((*infractions & INF_URI_NEED_NORM_PATH) || (*infractions & INF_URI_NEED_NORM_QUERY))) + if ((fragment.length() > 0) && + UriNormalizer::need_norm(fragment, false, uri_param, infractions, events)) + *infractions += INF_URI_NEED_NORM_FRAGMENT; + + if (!((*infractions & INF_URI_NEED_NORM_PATH) + || (*infractions & INF_URI_NEED_NORM_QUERY) + || (*infractions & INF_URI_NEED_NORM_FRAGMENT))) { // This URI is OK, normalization not required path_norm.set(path); query_norm.set(query); + fragment_norm.set(fragment); const int path_len = (path.length() > 0) ? path.length() : 0; // query_len = length of query + 1 (? char) const int query_len = (query.length() >= 0) ? query.length() + 1 : 0; + // fragment_len = length of fragment + 1 (# char) + const int fragment_len = (fragment.length() >= 0) ? fragment.length() + 1 : 0; - classic_norm.set(path_len + query_len, abs_path.start()); + classic_norm.set(path_len + query_len + fragment_len, abs_path.start()); check_oversize_dir(path_norm); return; @@ -264,6 +273,7 @@ void HttpUri::normalize() // Create a new buffer containing the normalized URI by normalizing each individual piece. int total_length = path.length() ? path.length() + UriNormalizer::URI_NORM_EXPANSION : 0; total_length += (query.length() >= 0) ? query.length() + 1 : 0; + total_length += (fragment.length() >= 0) ? fragment.length() + 1 : 0; uint8_t* const new_buf = new uint8_t[total_length]; uint8_t* current = new_buf; @@ -293,6 +303,20 @@ void HttpUri::normalize() } current += query_norm.length(); } + if (fragment.length() >= 0) + { + memcpy(current, "#", 1); + current += 1; + if (*infractions & INF_URI_NEED_NORM_FRAGMENT) + UriNormalizer::normalize(fragment, fragment_norm, false, current, uri_param, infractions, + events); + else + { + memcpy(current, fragment.start(), fragment.length()); + fragment_norm.set(fragment); + } + current += fragment_norm.length(); + } assert(current - new_buf <= total_length); @@ -351,24 +375,3 @@ const Field& HttpUri::get_norm_host() return host_norm; } - -const Field& HttpUri::get_norm_fragment() -{ - if (fragment_norm.length() != STAT_NOT_COMPUTE) - return fragment_norm; - - if ((fragment.length() > 0) and - UriNormalizer::need_norm(fragment, false, uri_param, infractions, events)) - { - uint8_t *buf = new uint8_t[fragment.length()]; - - *infractions += INF_URI_NEED_NORM_FRAGMENT; - - UriNormalizer::normalize(fragment, fragment_norm, false, buf, uri_param, - infractions, events, true); - } - else - fragment_norm.set(fragment); - - return fragment_norm; -} diff --git a/src/service_inspectors/http_inspect/http_uri.h b/src/service_inspectors/http_inspect/http_uri.h index 7152f4b5b..c8e5f847f 100644 --- a/src/service_inspectors/http_inspect/http_uri.h +++ b/src/service_inspectors/http_inspect/http_uri.h @@ -53,7 +53,7 @@ public: const Field& get_norm_host(); const Field& get_norm_path() { return path_norm; } const Field& get_norm_query() { return query_norm; } - const Field& get_norm_fragment(); + const Field& get_norm_fragment() { return fragment_norm; } const Field& get_norm_classic() { return classic_norm; } size_t get_file_proc_hash();