1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
| | # Copyright (c) 2005 Zed A. Shaw
# You can redistribute it and/or modify it under the same terms as Ruby.
#
# Additional work donated by contributors. See http://mongrel.rubyforge.org/attributions.html
# for more information.
require 'test/test_helper'
include Unicorn
class HttpParserTest < Test::Unit::TestCase
def test_parse_simple
parser = HttpParser.new
req = {}
http = "GET / HTTP/1.1\r\n\r\n"
nread = parser.execute(req, http, 0)
assert nread == http.length, "Failed to parse the full HTTP request"
assert parser.finished?, "Parser didn't finish"
assert !parser.error?, "Parser had error"
assert nread == parser.nread, "Number read returned from execute does not match"
assert_equal 'HTTP/1.1', req['SERVER_PROTOCOL']
assert_equal '/', req['REQUEST_PATH']
assert_equal 'HTTP/1.1', req['HTTP_VERSION']
assert_equal '/', req['REQUEST_URI']
assert_equal 'CGI/1.2', req['GATEWAY_INTERFACE']
assert_equal 'GET', req['REQUEST_METHOD']
assert_nil req['FRAGMENT']
assert_nil req['QUERY_STRING']
parser.reset
assert parser.nread == 0, "Number read after reset should be 0"
end
def test_parse_strange_headers
parser = HttpParser.new
req = {}
should_be_good = "GET / HTTP/1.1\r\naaaaaaaaaaaaa:++++++++++\r\n\r\n"
nread = parser.execute(req, should_be_good, 0)
assert_equal should_be_good.length, nread
assert parser.finished?
assert !parser.error?
# ref: http://thread.gmane.org/gmane.comp.lang.ruby.Unicorn.devel/37/focus=45
# (note we got 'pen' mixed up with 'pound' in that thread,
# but the gist of it is still relevant: these nasty headers are irrelevant
#
# nasty_pound_header = "GET / HTTP/1.1\r\nX-SSL-Bullshit: -----BEGIN CERTIFICATE-----\r\n\tMIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx\r\n\tETAPBgNVBAoTCGVTY2llbmNlMRIwEAYDVQQLEwlBdXRob3JpdHkxCzAJBgNVBAMT\r\n\tAkNBMS0wKwYJKoZIhvcNAQkBFh5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMu\r\n\tdWswHhcNMDYwNzI3MTQxMzI4WhcNMDcwNzI3MTQxMzI4WjBbMQswCQYDVQQGEwJV\r\n\tSzERMA8GA1UEChMIZVNjaWVuY2UxEzARBgNVBAsTCk1hbmNoZXN0ZXIxCzAJBgNV\r\n\tBAcTmrsogriqMWLAk1DMRcwFQYDVQQDEw5taWNoYWVsIHBhcmQYJKoZIhvcNAQEB\r\n\tBQADggEPADCCAQoCggEBANPEQBgl1IaKdSS1TbhF3hEXSl72G9J+WC/1R64fAcEF\r\n\tW51rEyFYiIeZGx/BVzwXbeBoNUK41OK65sxGuflMo5gLflbwJtHBRIEKAfVVp3YR\r\n\tgW7cMA/s/XKgL1GEC7rQw8lIZT8RApukCGqOVHSi/F1SiFlPDxuDfmdiNzL31+sL\r\n\t0iwHDdNkGjy5pyBSB8Y79dsSJtCW/iaLB0/n8Sj7HgvvZJ7x0fr+RQjYOUUfrePP\r\n\tu2MSpFyf+9BbC/aXgaZuiCvSR+8Snv3xApQY+fULK/xY8h8Ua51iXoQ5jrgu2SqR\r\n\twgA7BUi3G8LFzMBl8FRCDYGUDy7M6QaHXx1ZWIPWNKsCAwEAAaOCAiQwggIgMAwG\r\n\tA1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwID6DAs\r\n\tBglghkgBhvhCAQ0EHxYdVUsgZS1TY2llbmNlIFVzZXIgQ2VydGlmaWNhdGUwHQYD\r\n\tVR0OBBYEFDTt/sf9PeMaZDHkUIldrDYMNTBZMIGaBgNVHSMEgZIwgY+AFAI4qxGj\r\n\tloCLDdMVKwiljjDastqooXSkcjBwMQswCQYDVQQGEwJVSzERMA8GA1UEChMIZVNj\r\n\taWVuY2UxEjAQBgNVBAsTCUF1dGhvcml0eTELMAkGA1UEAxMCQ0ExLTArBgkqhkiG\r\n\t9w0BCQEWHmNhLW9wZXJhdG9yQGdyaWQtc3VwcG9ydC5hYy51a4IBADApBgNVHRIE\r\n\tIjAggR5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMudWswGQYDVR0gBBIwEDAO\r\n\tBgwrBgEEAdkvAQEBAQYwPQYJYIZIAYb4QgEEBDAWLmh0dHA6Ly9jYS5ncmlkLXN1\r\n\tcHBvcnQuYWMudmT4sopwqlBWsvcHViL2NybC9jYWNybC5jcmwwPQYJYIZIAYb4QgEDBDAWLmh0\r\n\tdHA6Ly9jYS5ncmlkLXN1cHBvcnQuYWMudWsvcHViL2NybC9jYWNybC5jcmwwPwYD\r\n\tVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NhLmdyaWQt5hYy51ay9wdWIv\r\n\tY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAS/U4iiooBENGW/Hwmmd3\r\n\tXCy6Zrt08YjKCzGNjorT98g8uGsqYjSxv/hmi0qlnlHs+k/3Iobc3LjS5AMYr5L8\r\n\tUO7OSkgFFlLHQyC9JzPfmLCAugvzEbyv4Olnsr8hbxF1MbKZoQxUZtMVu29wjfXk\r\n\thTeApBv7eaKCWpSp7MCbvgzm74izKhu3vlDk9w6qVrxePfGgpKPqfHiOoGhFnbTK\r\n\twTC6o2xq5y0qZ03JonF7OJspEd3I5zKY3E+ov7/ZhW6DqT8UFvsAdjvQbXyhV8Eu\r\n\tYhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3\r\n\tRA==\r\n\t-----END CERTIFICATE-----\r\n\r\n"
# parser = HttpParser.new
# req = {}
# nread = parser.execute(req, nasty_pound_header, 0)
# assert_equal nasty_pound_header.length, nread
# assert parser.finished?
# assert !parser.error?
end
def test_parse_ie6_urls
%w(/some/random/path"
/some/random/path>
/some/random/path<
/we/love/you/ie6?q=<"">
/url?<="&>="
/mal"formed"?
).each do |path|
parser = HttpParser.new
req = {}
sorta_safe = %(GET #{path} HTTP/1.1\r\n\r\n)
nread = parser.execute(req, sorta_safe, 0)
assert_equal sorta_safe.length, nread
assert parser.finished?
assert !parser.error?
end
end
def test_parse_error
parser = HttpParser.new
req = {}
bad_http = "GET / SsUTF/1.1"
error = false
begin
nread = parser.execute(req, bad_http, 0)
rescue => details
error = true
end
assert error, "failed to throw exception"
assert !parser.finished?, "Parser shouldn't be finished"
assert parser.error?, "Parser SHOULD have error"
end
def test_fragment_in_uri
parser = HttpParser.new
req = {}
get = "GET /forums/1/topics/2375?page=1#posts-17408 HTTP/1.1\r\n\r\n"
assert_nothing_raised do
parser.execute(req, get, 0)
end
assert parser.finished?
assert_equal '/forums/1/topics/2375?page=1', req['REQUEST_URI']
assert_equal 'posts-17408', req['FRAGMENT']
end
# lame random garbage maker
def rand_data(min, max, readable=true)
count = min + ((rand(max)+1) *10).to_i
res = count.to_s + "/"
if readable
res << Digest::SHA1.hexdigest(rand(count * 100).to_s) * (count / 40)
else
res << Digest::SHA1.digest(rand(count * 100).to_s) * (count / 20)
end
return res
end
def test_horrible_queries
parser = HttpParser.new
# then that large header names are caught
10.times do |c|
get = "GET /#{rand_data(10,120)} HTTP/1.1\r\nX-#{rand_data(1024, 1024+(c*1024))}: Test\r\n\r\n"
assert_raises Unicorn::HttpParserError do
parser.execute({}, get, 0)
parser.reset
end
end
# then that large mangled field values are caught
10.times do |c|
get = "GET /#{rand_data(10,120)} HTTP/1.1\r\nX-Test: #{rand_data(1024, 1024+(c*1024), false)}\r\n\r\n"
assert_raises Unicorn::HttpParserError do
parser.execute({}, get, 0)
parser.reset
end
end
# then large headers are rejected too
get = "GET /#{rand_data(10,120)} HTTP/1.1\r\n"
get << "X-Test: test\r\n" * (80 * 1024)
assert_raises Unicorn::HttpParserError do
parser.execute({}, get, 0)
parser.reset
end
# finally just that random garbage gets blocked all the time
10.times do |c|
get = "GET #{rand_data(1024, 1024+(c*1024), false)} #{rand_data(1024, 1024+(c*1024), false)}\r\n\r\n"
assert_raises Unicorn::HttpParserError do
parser.execute({}, get, 0)
parser.reset
end
end
end
end
|