thr3ads.net - mongrel unicorn - [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values [Jul 2011]

If this information is useful, please help other people find it:
Share via:

Eric Wong

2011-Jul-13 01:28 UTC

[PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values

Would anybody be negatively affected by this change?  I''ve been seeing
\x00 bytes in HTTP headers from clients and would rather stop those
clients earlier rather than later.
>From 4a8ddcd017a75b9bc99190dc565880615709d810 Mon Sep 17 00:00:00 2001From: Eric Wong <normalperson at yhbt.net>
Date: Tue, 12 Jul 2011 23:52:33 +0000
Subject: [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values

RFC 2616 doesn''t appear to allow most CTL bytes even though
Mongrel always did.  Rack::Lint disallows 0..31, too, though we
allow "\t" (HT, 09) since it''s LWS and allowed by RFC 2616.
---
 ext/unicorn_http/unicorn_http_common.rl |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ext/unicorn_http/unicorn_http_common.rl
b/ext/unicorn_http/unicorn_http_common.rl
index cf93fec..cc1d455 100644
--- a/ext/unicorn_http/unicorn_http_common.rl
+++ b/ext/unicorn_http/unicorn_http_common.rl
@@ -20,6 +20,7 @@
   pchar = (uchar | ":" | "@" | "&" |
"=" | "+");
   tspecials = ("(" | ")" | "<" |
">" | "@" | "," | ";" | ":"
| "\\" | "\"" | "/" | "[" |
"]" | "?" | "=" | "{" | "}" |
" " | "\t");
   lws = (" " | "\t");
+  content = ((any -- CTL) | lws);
 
 # elements
   token = (ascii -- (CTL | tspecials));
@@ -50,9 +51,9 @@
 
   field_name = ( token -- ":" )+ >start_field $snake_upcase_field
%write_field;
 
-  field_value = any* >start_value %write_value;
+  field_value = content* >start_value %write_value;
 
-  value_cont = lws+ any* >start_value %write_cont_value;
+  value_cont = lws+ content* >start_value %write_cont_value;
 
   message_header = ((field_name ":" lws* field_value)|value_cont)
:> CRLF;
   chunk_ext_val = token*;
-- 
Eric Wong

Eric Wong

2011-Jul-13 23:52 UTC

head link

[PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values

Eric Wong <normalperson at yhbt.net> wrote:> Would anybody be negatively affected by this change?  I''ve been
seeing
> \x00 bytes in HTTP headers from clients and would rather stop those
> clients earlier rather than later.
Pushed out with tests to git://bogomips.org/unicorn.git

mongrel unicorn - Jul 2011 - [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values

[PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values

[PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values