From: Eric Wong <normalperson@yhbt.net>
To: mongrel-unicorn@rubyforge.org
Subject: [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values
Date: Wed, 13 Jul 2011 01:28:36 +0000 [thread overview]
Message-ID: <20110713012836.GA29441@dcvr.yhbt.net> (raw)
Would anybody be negatively affected by this change? I've been seeing
\x00 bytes in HTTP headers from clients and would rather stop those
clients earlier rather than later.
>From 4a8ddcd017a75b9bc99190dc565880615709d810 Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Tue, 12 Jul 2011 23:52:33 +0000
Subject: [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values
RFC 2616 doesn't appear to allow most CTL bytes even though
Mongrel always did. Rack::Lint disallows 0..31, too, though we
allow "\t" (HT, 09) since it's LWS and allowed by RFC 2616.
---
ext/unicorn_http/unicorn_http_common.rl | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/ext/unicorn_http/unicorn_http_common.rl b/ext/unicorn_http/unicorn_http_common.rl
index cf93fec..cc1d455 100644
--- a/ext/unicorn_http/unicorn_http_common.rl
+++ b/ext/unicorn_http/unicorn_http_common.rl
@@ -20,6 +20,7 @@
pchar = (uchar | ":" | "@" | "&" | "=" | "+");
tspecials = ("(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\\" | "\"" | "/" | "[" | "]" | "?" | "=" | "{" | "}" | " " | "\t");
lws = (" " | "\t");
+ content = ((any -- CTL) | lws);
# elements
token = (ascii -- (CTL | tspecials));
@@ -50,9 +51,9 @@
field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field;
- field_value = any* >start_value %write_value;
+ field_value = content* >start_value %write_value;
- value_cont = lws+ any* >start_value %write_cont_value;
+ value_cont = lws+ content* >start_value %write_cont_value;
message_header = ((field_name ":" lws* field_value)|value_cont) :> CRLF;
chunk_ext_val = token*;
--
Eric Wong
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying
next reply other threads:[~2011-07-13 1:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-13 1:28 Eric Wong [this message]
2011-07-13 23:52 ` [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/unicorn/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110713012836.GA29441@dcvr.yhbt.net \
--to=normalperson@yhbt.net \
--cc=mongrel-unicorn@rubyforge.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).