* Re: [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values
2011-07-13 1:28 14% [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values Eric Wong
@ 2011-07-13 23:52 8% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2011-07-13 23:52 UTC (permalink / raw)
To: mongrel-unicorn
Eric Wong <normalperson@yhbt.net> wrote:
> Would anybody be negatively affected by this change? I've been seeing
> \x00 bytes in HTTP headers from clients and would rather stop those
> clients earlier rather than later.
Pushed out with tests to git://bogomips.org/unicorn.git
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying
^ permalink raw reply [relevance 8%]
* [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values
@ 2011-07-13 1:28 14% Eric Wong
2011-07-13 23:52 8% ` Eric Wong
0 siblings, 1 reply; 2+ results
From: Eric Wong @ 2011-07-13 1:28 UTC (permalink / raw)
To: mongrel-unicorn
Would anybody be negatively affected by this change? I've been seeing
\x00 bytes in HTTP headers from clients and would rather stop those
clients earlier rather than later.
>From 4a8ddcd017a75b9bc99190dc565880615709d810 Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Tue, 12 Jul 2011 23:52:33 +0000
Subject: [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values
RFC 2616 doesn't appear to allow most CTL bytes even though
Mongrel always did. Rack::Lint disallows 0..31, too, though we
allow "\t" (HT, 09) since it's LWS and allowed by RFC 2616.
---
ext/unicorn_http/unicorn_http_common.rl | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/ext/unicorn_http/unicorn_http_common.rl b/ext/unicorn_http/unicorn_http_common.rl
index cf93fec..cc1d455 100644
--- a/ext/unicorn_http/unicorn_http_common.rl
+++ b/ext/unicorn_http/unicorn_http_common.rl
@@ -20,6 +20,7 @@
pchar = (uchar | ":" | "@" | "&" | "=" | "+");
tspecials = ("(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\\" | "\"" | "/" | "[" | "]" | "?" | "=" | "{" | "}" | " " | "\t");
lws = (" " | "\t");
+ content = ((any -- CTL) | lws);
# elements
token = (ascii -- (CTL | tspecials));
@@ -50,9 +51,9 @@
field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field;
- field_value = any* >start_value %write_value;
+ field_value = content* >start_value %write_value;
- value_cont = lws+ any* >start_value %write_cont_value;
+ value_cont = lws+ content* >start_value %write_cont_value;
message_header = ((field_name ":" lws* field_value)|value_cont) :> CRLF;
chunk_ext_val = token*;
--
Eric Wong
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying
^ permalink raw reply related [relevance 14%]
Results 1-2 of 2 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2011-07-13 1:28 14% [PATCH] http: reject non-LWS CTL chars (0..31 + 127) in field values Eric Wong
2011-07-13 23:52 8% ` Eric Wong
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).