rpms / http-parser

Clone
Source Code
GIT

Files

c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   CVE-2018-7159-Fix-Content-Lenght-with-obsolete-line-folding-backport.patch
Blob Blame History Raw 
diff -up http-parser-2.7.1/http_parser.c.cve http-parser-2.7.1/http_parser.c
--- http-parser-2.7.1/http_parser.c.cve	2019-03-23 09:08:12.831806096 +0100
+++ http-parser-2.7.1/http_parser.c	2019-03-23 09:09:45.047875248 +0100
@@ -1483,6 +1483,11 @@ reexecute:
             parser->header_state = h_content_length_num;
             break;
 
+          /* when obsolete line folding is encountered for content length
+           * continue to the s_header_value state */
+          case h_content_length_ws:
+            break;
+
           case h_connection:
             /* looking for 'Connection: keep-alive' */
             if (c == 'k') {
@@ -1727,6 +1732,10 @@ reexecute:
       case s_header_value_lws:
       {
         if (ch == ' ' || ch == '\t') {
+          if (parser->header_state == h_content_length_num) {
+              /* treat obsolete line folding as space */
+              parser->header_state = h_content_length_ws;
+          }
           UPDATE_STATE(s_header_value_start);
           REEXECUTE();
         }
diff -up http-parser-2.7.1/test.c.cve http-parser-2.7.1/test.c
--- http-parser-2.7.1/test.c.cve	2019-03-23 09:08:12.831806096 +0100
+++ http-parser-2.7.1/test.c	2019-03-23 09:09:45.049875249 +0100
@@ -3968,6 +3968,20 @@ main (void)
       HPE_INVALID_CONTENT_LENGTH,
       HTTP_REQUEST);
 
+  test_simple_type(
+      "POST / HTTP/1.1\r\n"
+      "Content-Length:  42\r\n"
+      " Hello world!\r\n",
+      HPE_INVALID_CONTENT_LENGTH,
+      HTTP_REQUEST);
+
+  test_simple_type(
+      "POST / HTTP/1.1\r\n"
+      "Content-Length:  42\r\n"
+      " \r\n",
+      HPE_OK,
+      HTTP_REQUEST);
+
   //// RESPONSES
 
   for (i = 0; i < response_count; i++) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation