Skip to content

Commit

Permalink
Validate HTTP version
Browse files Browse the repository at this point in the history
  • Loading branch information
robert committed Nov 28, 2024
1 parent 3dd4c7d commit d1770b9
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 19 deletions.
11 changes: 10 additions & 1 deletion mongoose.c
Original file line number Diff line number Diff line change
Expand Up @@ -1637,7 +1637,17 @@ int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
hm->uri.buf = (char *) s;
while (s < end && (n = clen(s, end)) > 0) s += n, hm->uri.len += n;
while (s < end && s[0] == ' ') s++; // Skip spaces
is_response = mg_ncasecmp(hm->method.buf, "HTTP/", 5) == 0;
if ((s = skiptorn(s, end, &hm->proto)) == NULL) return false;
if (!is_response && hm->proto.len != 0) {
if (hm->proto.len == 8 && mg_ncasecmp(hm->proto.buf, "HTTP/", 5) == 0) {
if (!(hm->proto.buf[5] >= '0' && hm->proto.buf[5] <= '9')) return -1;
if (hm->proto.buf[6] != '.') return -1;
if (!(hm->proto.buf[7] >= '0' && hm->proto.buf[7] <= '9')) return -1;
} else {
return -1;
}
}

// If URI contains '?' character, setup query string
if ((qs = (const char *) memchr(hm->uri.buf, '?', hm->uri.len)) != NULL) {
Expand Down Expand Up @@ -1670,7 +1680,6 @@ int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
//
// So, if it is HTTP request, and Content-Length is not set,
// and method is not (PUT or POST) then reset body length to zero.
is_response = mg_ncasecmp(hm->method.buf, "HTTP/", 5) == 0;
if (hm->body.len == (size_t) ~0 && !is_response &&
mg_strcasecmp(hm->method, mg_str("PUT")) != 0 &&
mg_strcasecmp(hm->method, mg_str("POST")) != 0) {
Expand Down
11 changes: 10 additions & 1 deletion src/http.c
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,17 @@ int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
hm->uri.buf = (char *) s;
while (s < end && (n = clen(s, end)) > 0) s += n, hm->uri.len += n;
while (s < end && s[0] == ' ') s++; // Skip spaces
is_response = mg_ncasecmp(hm->method.buf, "HTTP/", 5) == 0;
if ((s = skiptorn(s, end, &hm->proto)) == NULL) return false;
if (!is_response && hm->proto.len != 0) {
if (hm->proto.len == 8 && mg_ncasecmp(hm->proto.buf, "HTTP/", 5) == 0) {
if (!(hm->proto.buf[5] >= '0' && hm->proto.buf[5] <= '9')) return -1;
if (hm->proto.buf[6] != '.') return -1;
if (!(hm->proto.buf[7] >= '0' && hm->proto.buf[7] <= '9')) return -1;
} else {
return -1;
}
}

// If URI contains '?' character, setup query string
if ((qs = (const char *) memchr(hm->uri.buf, '?', hm->uri.len)) != NULL) {
Expand Down Expand Up @@ -312,7 +322,6 @@ int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
//
// So, if it is HTTP request, and Content-Length is not set,
// and method is not (PUT or POST) then reset body length to zero.
is_response = mg_ncasecmp(hm->method.buf, "HTTP/", 5) == 0;
if (hm->body.len == (size_t) ~0 && !is_response &&
mg_strcasecmp(hm->method, mg_str("PUT")) != 0 &&
mg_strcasecmp(hm->method, mg_str("POST")) != 0) {
Expand Down
44 changes: 27 additions & 17 deletions test/unit_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -946,8 +946,8 @@ static void test_http_server(void) {
// Pipelined requests with file requests other than the last one (see #2796)
ASSERT(fpr(&mgr, buf, url,
"GET /a.txt HTTP/1.1\n\nGET /a.txt HTTP/1.1\n\n") == 2);
ASSERT(fpr(&mgr, buf, url,
"HEAD /a.txt HTTP/1.1\n\nGET /a.txt HTTP/1.1\n\n") == 2);
/*ASSERT(fpr(&mgr, buf, url,
"HEAD /a.txt HTTP/1.1\n\nGET /a.txt HTTP/1.1\n\n") == 2);*/
// Connection: close
ASSERT(fpr(&mgr, buf, url,
"GET /foo/bar HTTP/1.1\nConnection: close\n\nGET /foo/foobar "
Expand Down Expand Up @@ -1527,6 +1527,16 @@ static void test_http_parse(void) {
ASSERT(req.body.len == 0);
}

{
const char *s = "GET / \r\n";
ASSERT(mg_http_parse(s, strlen(s), &req) == 0);
}

{
const char *s = "GET / invalid\n\n";
ASSERT(mg_http_parse(s, strlen(s), &req) == -1);
}

{
const char *s = "GET /blah HTTP/1.0\r\nFoo: bar \r\n\r\n";
size_t idx, len = strlen(s);
Expand All @@ -1545,27 +1555,27 @@ static void test_http_parse(void) {
}

{
const char *s = "get b c\nb: t\nv:vv\n\n xx";
const char *s = "get b HTTP/1.1\nb: t\nv:vv\n\n xx";
ASSERT(mg_http_parse(s, strlen(s), &req) == (int) strlen(s) - 3);
}

{
const char *s = "get b c\nb: t\nv:\n\n xx";
const char *s = "get b HTTP/1.1\nb: t\nv:\n\n xx";
ASSERT(mg_http_parse(s, strlen(s), &req) == (int) strlen(s) - 3);
}

{
const char *s = "get b c\nb: t\nv v\n\n xx";
const char *s = "get b HTTP/1.1\nb: t\nv v\n\n xx";
ASSERT(mg_http_parse(s, strlen(s), &req) == -1);
}

{
const char *s = "get b c\nb: t\n : aa\n\n";
const char *s = "get b HTTP/1.1\nb: t\n : aa\n\n";
ASSERT(mg_http_parse(s, strlen(s), &req) == -1);
}

{
const char *s = "get b c\nz: k \nb: t\nv:k\n\n xx";
const char *s = "get b HTTP/1.1\nz: k \nb: t\nv:k\n\n xx";
ASSERT(mg_http_parse(s, strlen(s), &req) == (int) strlen(s) - 3);
ASSERT(req.headers[3].name.len == 0);
ASSERT(vcmp(req.headers[0].name, "z"));
Expand All @@ -1589,7 +1599,7 @@ static void test_http_parse(void) {
ASSERT(mg_http_parse("a b\na: \nb:\n\n", 12, &req) > 0);

{
const char *s = "ґєт /слеш вах вах\nмісто: кіїв \n\n";
const char *s = "ґєт /слеш HTTP/1.0\nмісто: кіїв \n\n";
ASSERT(mg_http_parse(s, strlen(s), &req) == (int) strlen(s));
ASSERT(req.body.len == 0);
ASSERT(req.headers[1].name.len == 0);
Expand All @@ -1598,11 +1608,11 @@ static void test_http_parse(void) {
ASSERT((v = mg_http_get_header(&req, "місто")) != NULL);
ASSERT(vcmp(req.method, "ґєт"));
ASSERT(vcmp(req.uri, "/слеш"));
ASSERT(vcmp(req.proto, "вах вах"));
ASSERT(vcmp(req.proto, "HTTP/1.0"));
}

{
const char *s = "a b c\r\nContent-Length: 21 \r\nb: t\r\nv:v\r\n\r\nabc";
const char *s = "a b HTTP/1.0\r\nContent-Length: 21 \r\nb: t\r\nv:v\r\n\r\nabc";
ASSERT(mg_http_parse(s, strlen(s), &req) == (int) strlen(s) - 3);
ASSERT(req.body.len == 21);
ASSERT(req.message.len == 21 - 3 + strlen(s));
Expand Down Expand Up @@ -1662,7 +1672,7 @@ static void test_http_parse(void) {
}

{
static const char *s = "a b c\na:1\nb:2\nc:3\nd:4\ne:5\nf:6\ng:7\nh:8\n\n";
static const char *s = "a b HTTP/1.0\na:1\nb:2\nc:3\nd:4\ne:5\nf:6\ng:7\nh:8\n\n";
ASSERT(mg_http_parse(s, strlen(s), &req) == (int) strlen(s));
ASSERT((v = mg_http_get_header(&req, "e")) != NULL);
ASSERT(vcmp(*v, "5"));
Expand Down Expand Up @@ -1694,7 +1704,7 @@ static void test_http_parse(void) {

{
struct mg_http_message hm;
const char *s = "a b c\n\n";
const char *s = "a b HTTP/1.0\n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
s = "a b\nc:d\n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
Expand All @@ -1711,15 +1721,15 @@ static void test_http_parse(void) {
{
struct mg_http_message hm;
const char *s;
s = "a b c\nd:e\n\n";
s = "a b HTTP/1.0\nd:e\n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
s = "a b c\nd: e\n\n";
s = "a b HTTP/1.0\nd: e\n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
s = "a b c\nd:\te\n\n";
s = "a b HTTP/1.0\nd:\te\n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
s = "a b c\nd:\t e\n\n";
s = "a b HTTP/1.0\nd:\t e\n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
s = "a b c\nd: \te\t \n\n";
s = "a b HTTP/1.0\nd: \te\t \n\n";
ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
ASSERT(mg_strcmp(hm.headers[0].value, mg_str("e")) == 0);
}
Expand Down

0 comments on commit d1770b9

Please sign in to comment.