kore

Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 1447f6573f8272adf950f6a44f8deb036e3a19aa
parent 3312a2882f7f1eea041c8823225e7f4a8c810d03
Author: Joris Vink <joris@coders.se>
Date:   Tue, 17 Jul 2018 20:17:05 +0200

better http header validation.

Diffstat:
src/http.c | 123+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 108 insertions(+), 15 deletions(-)

diff --git a/src/http.c b/src/http.c @@ -61,6 +61,58 @@ static struct { { NULL, NULL }, }; +#define HTTP_MAP_LIMIT 127 + +/* + * token = 1*<any CHAR except CTLs or separators> + * separators = "(" | ")" | "<" | ">" | "@" + * | "," | ";" | ":" | "\" | <"> + * | "/" | "[" | "]" | "?" | "=" + * | "{" | "}" | SP | HT + */ +static const char http_token[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, '!' , 0x00, '#' , '$' , '%' , '&' , '\'', + 0x00, 0x00, '*' , '+' , 0x00, '-' , '.' , 0x00, + '0' , '1' , '2' , '3' , '4' , '5' , '6' , '7' , + '8' , '9' , 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 'A' , 'B' , 'C' , 'D' , 'E' , 'F' , 'G' , + 'H' , 'I' , 'J' , 'K' , 'L' , 'M' , 'N' , 'O' , + 'P' , 'Q' , 'R' , 'S' , 'T' , 'U' , 'V' , 'W' , + 'X' , 'Y' , 'Z' , 0x00, 0x00, 0x00, '^' , '_' , + '`' , 'a' , 'b' , 'c' , 'd' , 'e' , 'f' , 'g' , + 'h' , 'i' , 'j' , 'k' , 'l' , 'm' , 'n' , 'o' , + 'p' , 'q' , 'r' , 's' , 't' , 'u' , 'v' , 'w' , + 'x' , 'y' , 'z' , 0x00, '|' , 0x00, '~' , +}; + +/* + * field-content = <the OCTETs making up the field-value + * and consisting of either *TEXT or combinations + * of token, separators, and quoted-string> + */ +static const char http_field_content[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + ' ' , '!' , '"' , '#' , '$' , '%' , '&' , '\'', + '(' , ')' , '*' , '+' , ',' , '-' , '.' , '/' , + '0' , '1' , '2' , '3' , '4' , '5' , '6' , '7' , + '8' , '9' , ':' , ';' , '<' , '=' , '>' , '?' , + '@' , 'A' , 'B' , 'C' , 'D' , 'E' , 'F' , 'G' , + 'H' , 'I' , 'J' , 'K' , 'L' , 'M' , 'N' , 'O' , + 'P' , 'Q' , 'R' , 'S' , 'T' , 'U' , 'V' , 'W' , + 'X' , 'Y' , 'Z' , '[' , '\\', ']' , '^' , '_' , + '`' , 'a' , 'b' , 'c' , 'd' , 'e' , 'f' , 'g' , + 'h' , 'i' , 'j' , 'k' , 'l' , 'm' , 'n' , 'o' , + 'p' , 'q' , 'r' , 's' , 't' , 'u' , 'v' , 'w' , + 'x' , 'y' , 'z' , '{' , '|' , '}' , '~' , +}; + static int http_body_recv(struct netbuf *); static void http_error_response(struct connection *, int); static void http_write_response_cookie(struct http_cookie *); @@ -77,6 +129,7 @@ static int multipart_parse_headers(struct http_request *, struct kore_buf *, struct kore_buf *, const char *, const int); +static char *http_validate_header(char *); static struct http_request *http_request_new(struct connection *, const char *, const char *, char *, const char *); @@ -584,6 +637,7 @@ http_request_cookie(struct http_request *req, const char *cookie, char **out) int http_header_recv(struct netbuf *nb) { + struct connection *c; size_t len; ssize_t ret; struct http_header *hdr; @@ -592,10 +646,10 @@ http_header_recv(struct netbuf *nb) u_int64_t bytes_left; u_int8_t *end_headers; int h, i, v, skip, l; - char *request[4], *host, *hbuf; - char *p, *headers[HTTP_REQ_HEADER_MAX]; - struct connection *c = (struct connection *)nb->owner; + char *headers[HTTP_REQ_HEADER_MAX]; + char *value, *host, *request[4], *hbuf; + c = nb->owner; kore_debug("http_header_recv(%p)", nb); if (nb->b_len < 4) @@ -633,19 +687,16 @@ http_header_recv(struct netbuf *nb) if (strncasecmp(headers[i], "host", 4)) continue; - if ((host = strchr(headers[i], ':')) == NULL) { + if ((host = http_validate_header(headers[i])) == NULL) { http_error_response(c, 400); return (KORE_RESULT_OK); } - *(host)++ = '\0'; - if (*host == '\0') { http_error_response(c, 400); return (KORE_RESULT_OK); } - host++; skip = i; break; } @@ -668,18 +719,21 @@ http_header_recv(struct netbuf *nb) if (i == skip) continue; - p = strchr(headers[i], ':'); - if (p == NULL) { - kore_debug("malformed header: '%s'", headers[i]); - continue; + if ((value = http_validate_header(headers[i])) == NULL) { + req->flags |= HTTP_REQUEST_DELETE; + http_error_response(c, 400); + return (KORE_RESULT_OK); + } + + if (*value == '\0') { + req->flags |= HTTP_REQUEST_DELETE; + http_error_response(c, 400); + return (KORE_RESULT_OK); } - *(p++) = '\0'; - if (*p == ' ') - p++; hdr = kore_pool_get(&http_header_pool); hdr->header = headers[i]; - hdr->value = p; + hdr->value = value; TAILQ_INSERT_TAIL(&(req->req_headers), hdr, list); if (req->agent == NULL && @@ -2083,3 +2137,42 @@ http_media_type(const char *path) return (NULL); } + +static char * +http_validate_header(char *header) +{ + u_int8_t idx; + char *p, *value; + + for (p = header; *p != '\0'; p++) { + idx = *p; + if (idx > HTTP_MAP_LIMIT) + return (NULL); + + if (*p == ':') { + *(p)++ = '\0'; + break; + } + + if (http_token[idx] == 0x00) + return (NULL); + } + + while (isspace(*(unsigned char *)p)) + p++; + + if (*p == '\0') + return (NULL); + + value = p; + while (*p != '\0') { + idx = *p; + if (idx > HTTP_MAP_LIMIT) + return (NULL); + if (http_field_content[idx] == 0x00) + return (NULL); + p++; + } + + return (value); +}