|
 |
5871b5 |
commit ea12a34d338b962707d5078d6d1fc7c6eb119a22
|
|
|
5871b5 |
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
|
|
5871b5 |
Date: 2020-05-13 14:05:00 +0000
|
|
|
5871b5 |
|
|
|
5871b5 |
Validate Content-Length value prefix (#629)
|
|
|
5871b5 |
|
|
|
5871b5 |
The new code detects all invalid Content-Length prefixes but the old
|
|
|
5871b5 |
code was already rejecting most invalid prefixes using strtoll(). The
|
|
|
5871b5 |
newly covered (and now rejected) invalid characters are
|
|
|
5871b5 |
|
|
|
5871b5 |
* explicit "+" sign;
|
|
|
5871b5 |
* explicit "-" sign in "-0" values;
|
|
|
5871b5 |
* isspace(3) characters that are not (relaxed) OWS characters.
|
|
|
5871b5 |
|
|
|
5871b5 |
In most deployment environments, the last set is probably empty because
|
|
|
5871b5 |
the relaxed OWS set has all the POSIX/C isspace(3) characters but the
|
|
|
5871b5 |
new line, and the new line is unlikely to sneak in past other checks.
|
|
|
5871b5 |
|
|
|
5871b5 |
Thank you, Amit Klein <amit.klein@safebreach.com>, for elevating the
|
|
|
5871b5 |
importance of this 2016 TODO (added in commit a1b9ec2).
|
|
|
5871b5 |
|
|
|
5871b5 |
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
|
|
|
5871b5 |
index 36957f2..c10a221 100644
|
|
|
5871b5 |
--- a/CONTRIBUTORS
|
|
|
5871b5 |
+++ b/CONTRIBUTORS
|
|
|
5871b5 |
@@ -25,6 +25,7 @@ Thank you!
|
|
|
5871b5 |
Alex Wu <alex_wu2012@hotmail.com>
|
|
|
5871b5 |
Alin Nastac <mrness@gentoo.org>
|
|
|
5871b5 |
Alter <alter@alter.org.ua>
|
|
|
5871b5 |
+ Amit Klein <amit.klein@safebreach.com>
|
|
|
5871b5 |
Amos Jeffries
|
|
|
5871b5 |
Amos Jeffries <amosjeffries@squid-cache.org>
|
|
|
5871b5 |
Amos Jeffries <squid3@treenet.co.nz>
|
|
|
5871b5 |
diff --git a/src/http/ContentLengthInterpreter.cc b/src/http/ContentLengthInterpreter.cc
|
|
|
5871b5 |
index 3fdf7de..a3741eb 100644
|
|
|
5871b5 |
--- a/src/http/ContentLengthInterpreter.cc
|
|
|
5871b5 |
+++ b/src/http/ContentLengthInterpreter.cc
|
|
|
5871b5 |
@@ -28,6 +28,24 @@ Http::ContentLengthInterpreter::ContentLengthInterpreter(const int aDebugLevel):
|
|
|
5871b5 |
{
|
|
|
5871b5 |
}
|
|
|
5871b5 |
|
|
|
5871b5 |
+/// checks whether all characters before the Content-Length number are allowed
|
|
|
5871b5 |
+/// \returns the start of the digit sequence (or nil on errors)
|
|
|
5871b5 |
+const char *
|
|
|
5871b5 |
+Http::ContentLengthInterpreter::findDigits(const char *prefix, const char * const valueEnd) const
|
|
|
5871b5 |
+{
|
|
|
5871b5 |
+ // skip leading OWS in RFC 7230's `OWS field-value OWS`
|
|
|
5871b5 |
+ const CharacterSet &whitespace = Http::One::Parser::WhitespaceCharacters();
|
|
|
5871b5 |
+ while (prefix < valueEnd) {
|
|
|
5871b5 |
+ const auto ch = *prefix;
|
|
|
5871b5 |
+ if (CharacterSet::DIGIT[ch])
|
|
|
5871b5 |
+ return prefix; // common case: a pre-trimmed field value
|
|
|
5871b5 |
+ if (!whitespace[ch])
|
|
|
5871b5 |
+ return nullptr; // (trimmed) length does not start with a digit
|
|
|
5871b5 |
+ ++prefix;
|
|
|
5871b5 |
+ }
|
|
|
5871b5 |
+ return nullptr; // empty or whitespace-only value
|
|
|
5871b5 |
+}
|
|
|
5871b5 |
+
|
|
|
5871b5 |
/// checks whether all characters after the Content-Length are allowed
|
|
|
5871b5 |
bool
|
|
|
5871b5 |
Http::ContentLengthInterpreter::goodSuffix(const char *suffix, const char * const end) const
|
|
|
5871b5 |
@@ -52,10 +70,19 @@ Http::ContentLengthInterpreter::checkValue(const char *rawValue, const int value
|
|
|
5871b5 |
{
|
|
|
5871b5 |
Must(!sawBad);
|
|
|
5871b5 |
|
|
|
5871b5 |
+ const auto valueEnd = rawValue + valueSize;
|
|
|
5871b5 |
+
|
|
|
5871b5 |
+ const auto digits = findDigits(rawValue, valueEnd);
|
|
|
5871b5 |
+ if (!digits) {
|
|
|
5871b5 |
+ debugs(55, debugLevel, "WARNING: Leading garbage or empty value in" << Raw("Content-Length", rawValue, valueSize));
|
|
|
5871b5 |
+ sawBad = true;
|
|
|
5871b5 |
+ return false;
|
|
|
5871b5 |
+ }
|
|
|
5871b5 |
+
|
|
|
5871b5 |
int64_t latestValue = -1;
|
|
|
5871b5 |
char *suffix = nullptr;
|
|
|
5871b5 |
- // TODO: Handle malformed values with leading signs (e.g., "-0" or "+1").
|
|
|
5871b5 |
- if (!httpHeaderParseOffset(rawValue, &latestValue, &suffix)) {
|
|
|
5871b5 |
+
|
|
|
5871b5 |
+ if (!httpHeaderParseOffset(digits, &latestValue, &suffix)) {
|
|
|
5871b5 |
debugs(55, DBG_IMPORTANT, "WARNING: Malformed" << Raw("Content-Length", rawValue, valueSize));
|
|
|
5871b5 |
sawBad = true;
|
|
|
5871b5 |
return false;
|
|
|
5871b5 |
@@ -68,7 +95,7 @@ Http::ContentLengthInterpreter::checkValue(const char *rawValue, const int value
|
|
|
5871b5 |
}
|
|
|
5871b5 |
|
|
|
5871b5 |
// check for garbage after the number
|
|
|
5871b5 |
- if (!goodSuffix(suffix, rawValue + valueSize)) {
|
|
|
5871b5 |
+ if (!goodSuffix(suffix, valueEnd)) {
|
|
|
5871b5 |
debugs(55, debugLevel, "WARNING: Trailing garbage in" << Raw("Content-Length", rawValue, valueSize));
|
|
|
5871b5 |
sawBad = true;
|
|
|
5871b5 |
return false;
|
|
|
5871b5 |
diff --git a/src/http/ContentLengthInterpreter.h b/src/http/ContentLengthInterpreter.h
|
|
|
5871b5 |
index ce36e22..f22de91 100644
|
|
|
5871b5 |
--- a/src/http/ContentLengthInterpreter.h
|
|
|
5871b5 |
+++ b/src/http/ContentLengthInterpreter.h
|
|
|
5871b5 |
@@ -46,6 +46,7 @@ public:
|
|
|
5871b5 |
bool sawGood;
|
|
|
5871b5 |
|
|
|
5871b5 |
protected:
|
|
|
5871b5 |
+ const char *findDigits(const char *prefix, const char *valueEnd) const;
|
|
|
5871b5 |
bool goodSuffix(const char *suffix, const char * const end) const;
|
|
|
5871b5 |
bool checkValue(const char *start, const int size);
|
|
|
5871b5 |
bool checkList(const String &list);
|