Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3202

HTTP Parsing should not allow CTL characters in the method

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.2.0
    • Component/s: None
    • Labels:
      None

      Description

      http_parser_parse_req() will mark a series of bytes as a correctly parsed HTTP request if it meets the following constraints.

      <bytes excluding white space>+ <white space>+ <bytes excluding white space>+\n

      The first set of bytes is the method. The current code will match a bunch of control characters as a valid method (found via a case in production). Assuming the second set of bytes does not contain a valid domain name, the processing will eventually fail and return to the client a message about not being able to resolve the DNS address, which is confusing.

      Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for what characters can form a method token. From my reading, a method can be any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1), and any character but white space and control characters are allowed to be in a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).

      To improve the accuracy of our processing (and the accuracy of our error messages), I'd like to change the parsing of the method token in http_parser_parse_req() to restrict control characters from the method token as well as the white space characters.

        Attachments

        1. TS-3202.diff
          3 kB
          Susan Hinrichs

          Issue Links

            Activity

              People

              • Assignee:
                shinrich Susan Hinrichs
                Reporter:
                shinrich Susan Hinrichs
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: