From: Philippe Antoine Date: Sat, 5 Apr 2025 19:22:25 +0000 (+0200) Subject: http: restore behavior for event http.uri_delim_non_compliant X-Git-Tag: suricata-8.0.0-beta1~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c203ff774d4df543e0d9fcd8c2714874c1e155f6;p=thirdparty%2Fsuricata.git http: restore behavior for event http.uri_delim_non_compliant If we see a space-like character that is not space 0x20 in uri, we set this event, even it the request line finished with a normal space and protocol Fixes: 9c324b796e6b ("http: Use libhtp-rs.) --- diff --git a/rust/htp/src/request.rs b/rust/htp/src/request.rs index c26dfe797c..56fe02db11 100644 --- a/rust/htp/src/request.rs +++ b/rust/htp/src/request.rs @@ -961,22 +961,24 @@ impl ConnectionParser { *c == 0x20 }); - if uri.len() == remaining.len() && uri.iter().any(|&c| is_space(c)) { + if uri.iter().any(|&c| is_space(c) && c != 0x20) { // warn regardless if we've seen non-compliant chars htp_warn!( self.logger, HtpLogCode::URI_DELIM_NON_COMPLIANT, "Request line: URI contains non-compliant delimiter" ); - // if we've seen some 'bad' delimiters, we retry with those - let uri_protocol = split_on_predicate( - remaining, - self.cfg.decoder_cfg.allow_space_uri, - true, - |c| is_space(*c), - ); - uri = uri_protocol.0; - protocol = uri_protocol.1; + if uri.len() == remaining.len() { + // if we've seen some 'bad' delimiters, we retry with those + let uri_protocol = split_on_predicate( + remaining, + self.cfg.decoder_cfg.allow_space_uri, + true, + |c| is_space(*c), + ); + uri = uri_protocol.0; + protocol = uri_protocol.1; + } } let req = self.request_mut().unwrap();