[squid-dev] [PATCH] Non-HTTP bypass

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 16 13:58:07 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/01/2015 12:31 a.m., Tsantilas Christos wrote:
> I am preparing this patch for commit, but I have many problems
> with tests/testHttp1Parser tester. The most of the problems caused
> because the changes I made in Http1Parser aborts immediately
> parsing when no valid characters found for the request method.
> 
> These problems can be fixed however there are 1-2 cases where I am
> not sure about correct fix.
> 
> For example Http1PArser without my fixes considers as valid
> methods: - with tabs inside method name, for example "\tGET" - with
> '\0' at the end of method name
> 
> About the "\t" probably we should "eat" tabs with spaces in 
> skipGarbageLines. About the '\0' do we have such cases?  The true
> is that I remember in the past, cases where a '\0' is appeared
> inside HTTP request headers. But maybe in these cases we must not
> include it in HTTP request method, but consider it as a space.....

Both of them are not valid HTTP as of RFC 7230, this is a
clarification since 2616 which could be interpreted as allowing them.
Your parser change is correct in rejecting.

The tests are in thsi condition because I have not yet re-coded that
part of parser to be fully RFC 7230 compliant. In other words, alter
those tests as needed to pass with your method characterset change.

FWIW: the RFC 7320 now explicitly states the characters which may
exist in and around the method:
 * method is a token
(<http://tools.ietf.org/html/rfc7230#section-3.2.6>) made only of
valid tchar,
 * with tolerant parsing method MAY be prefixed by an LF,
 * method is followed by specifically an SP character,
 * invalid method (thus invalid request-line) SHOULD be rejected with
a 400 status message.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUuRjuAAoJELJo5wb/XPRj6KcIAKfjmziUKWcJsvqpOAEaiRy8
zKt835ShvoHC7je8cxhZv5tjRRMR7ShmWu9dIYTinZXbHkoSRSuvjRofR9ef8UJH
e1NMJ4vfaLsZDI2HeMKUg1RQE2VECSwiGYmHaIRdF1VLvUPabwMRLyVgEVpMtZn2
XnnFBaPEQmf+oBh+7qUcREY2wPI/YKEt2fAUOn2irHFoRJ1NP2m6UU1dvq0O+QdQ
+6gzZJi0Uk7CjW85a7dzRmN4M81i3wsZsGHtrVF3NwFAzXj+Z7Q8/Talvl759+RJ
cwvXByulOV1qKHEMJnFa1uKLDdbjWNU1NJ9I47g9jnnlutUBu7wxFcnkvpDbFqU=
=hkOk
-----END PGP SIGNATURE-----

More information about the squid-dev mailing list