Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3202

HTTP Parsing should not allow CTL characters in the method



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 5.2.0
    • None
    • None


      http_parser_parse_req() will mark a series of bytes as a correctly parsed HTTP request if it meets the following constraints.

      <bytes excluding white space>+ <white space>+ <bytes excluding white space>+\n

      The first set of bytes is the method. The current code will match a bunch of control characters as a valid method (found via a case in production). Assuming the second set of bytes does not contain a valid domain name, the processing will eventually fail and return to the client a message about not being able to resolve the DNS address, which is confusing.

      Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for what characters can form a method token. From my reading, a method can be any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), and any character but white space and control characters are allowed to be in a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).

      To improve the accuracy of our processing (and the accuracy of our error messages), I'd like to change the parsing of the method token in http_parser_parse_req() to restrict control characters from the method token as well as the white space characters.


        1. TS-3202.diff
          3 kB
          Susan Hinrichs

        Issue Links



              shinrich Susan Hinrichs
              shinrich Susan Hinrichs
              0 Vote for this issue
              5 Start watching this issue