emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

httpd: don't allow tabs and multiple spaces in request string

Browse Source 
HTTP standard doesn't allow it and no sane clients should ever use it.

function                                             old     new   delta
handle_incoming_and_exit                            2795    2785     -10

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2013-03-25 23:27:00 +01:00
parent c608731e78
commit 85daa67bc2
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
networking/httpd.c
View File

@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
send_headers_and_exit(HTTP_BAD_REQUEST);
/* Determine type of request (GET/POST) */
urlp = strpbrk(iobuf, " \t");
// rfc2616: method and URI is separated by exactly one space
//urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
urlp = strchr(iobuf, ' ');
if (urlp == NULL)
send_headers_and_exit(HTTP_BAD_REQUEST);
*urlp++ = '\0';
@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
if (strcasecmp(iobuf, request_GET) != 0)
send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
#endif
urlp = skip_whitespace(urlp);
// rfc2616: method and URI is separated by exactly one space
//urlp = skip_whitespace(urlp); - should not be necessary
if (urlp[0] != '/')
send_headers_and_exit(HTTP_BAD_REQUEST);