From 3cfa6e0f58e592d48a74ea301eb2a955e1bb9fb8 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 25 Apr 2008 22:39:36 +1200
Subject: [PATCH] Bug 2297: file uploads (RFC1867) fail with "error:double-CR"

Uses strnstr instead of strstr to limit the scan area
---
 src/client_side.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/client_side.cc b/src/client_side.cc
index df75e9d96a..37344a9590 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -1919,7 +1919,11 @@ parseHttpRequest(ConnStateData::Pointer & conn, HttpParser *hp, method_t * metho
 
     debugs(33, 3, "parseHttpRequest: end = {" << end << "}");
 
-    if (strstr(req_hdr, "\r\r\n")) {
+    /*
+     * Check that the headers don't have double-CR.
+     * NP: strnstr is required so we don't search any possible binary body blobs.
+     */
+    if ( strnstr(req_hdr, "\r\r\n", req_sz) ) {
         debugs(33, 1, "WARNING: suspicious HTTP request contains double CR");
         xfree(url);
         return parseHttpRequestAbort(conn, "error:double-CR");
-- 
2.47.2