httpd: don't allow tabs and multiple spaces in request string
HTTP standard doesn't allow it and no sane clients should ever use it. function old new delta handle_incoming_and_exit 2795 2785 -10 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
c608731e78
commit
85daa67bc2
@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
|
|||||||
send_headers_and_exit(HTTP_BAD_REQUEST);
|
send_headers_and_exit(HTTP_BAD_REQUEST);
|
||||||
|
|
||||||
/* Determine type of request (GET/POST) */
|
/* Determine type of request (GET/POST) */
|
||||||
urlp = strpbrk(iobuf, " \t");
|
// rfc2616: method and URI is separated by exactly one space
|
||||||
|
//urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
|
||||||
|
urlp = strchr(iobuf, ' ');
|
||||||
if (urlp == NULL)
|
if (urlp == NULL)
|
||||||
send_headers_and_exit(HTTP_BAD_REQUEST);
|
send_headers_and_exit(HTTP_BAD_REQUEST);
|
||||||
*urlp++ = '\0';
|
*urlp++ = '\0';
|
||||||
@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
|
|||||||
if (strcasecmp(iobuf, request_GET) != 0)
|
if (strcasecmp(iobuf, request_GET) != 0)
|
||||||
send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
|
send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
|
||||||
#endif
|
#endif
|
||||||
urlp = skip_whitespace(urlp);
|
// rfc2616: method and URI is separated by exactly one space
|
||||||
|
//urlp = skip_whitespace(urlp); - should not be necessary
|
||||||
if (urlp[0] != '/')
|
if (urlp[0] != '/')
|
||||||
send_headers_and_exit(HTTP_BAD_REQUEST);
|
send_headers_and_exit(HTTP_BAD_REQUEST);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user