Mercurial > dovecot > core-2.2
view src/lib-http/test-http-response-parser.c @ 23017:c1d36f2575c7 default tip
lib-imap: Fix "Don't accept strings with NULs" cherry-pick
| author | Timo Sirainen <timo.sirainen@open-xchange.com> |
|---|---|
| date | Thu, 29 Aug 2019 09:55:25 +0300 |
| parents | cb108f786fb4 |
| children |
line wrap: on
line source
/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */ #include "test-lib.h" #include "buffer.h" #include "str.h" #include "str-sanitize.h" #include "istream.h" #include "ostream.h" #include "test-common.h" #include "http-response-parser.h" #include <time.h> struct valid_parse_test_response { unsigned char version_major; unsigned char version_minor; unsigned int status; uoff_t content_length; const char *payload; }; struct valid_parse_test { const char *input; enum http_response_parse_flags flags; const struct valid_parse_test_response *responses; unsigned int responses_count; }; /* Valid response tests */ static const struct valid_parse_test_response valid_responses1[] = { { .status = 200, .payload = "This is a piece of stupid text.\r\n" } }; static const struct valid_parse_test_response valid_responses2[] = { { .status = 200, .payload = "This is a piece of stupid text.\r\n" },{ .status = 200, .payload = "This is a piece of even more stupid text.\r\n" } }; static const struct valid_parse_test_response valid_responses3[] = { { .status = 401, .payload = "Frop!" } }; static const struct valid_parse_test_response valid_responses4[] = { { .status = 200, .payload = "Invalid date header" } }; static const struct valid_parse_test_response valid_responses5[] = { { .status = 200, .payload = "Duplicate headers" } }; static const struct valid_parse_test valid_response_parse_tests[] = { { .input = "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 13:02:27 GMT\r\n" "Server: Apache/2.2.16 (Debian)\r\n" "Last-Modified: Tue, 18 Sep 2012 19:31:41 GMT\r\n" "Etag: \"2a8400c-10751f-4c9fef0858140\"\r\n" "Accept-Ranges: bytes\r\n" "Content-Length: 33\r\n" "Keep-Alive: timeout=15, max=100\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/plain\r\n" "\r\n" "This is a piece of stupid text.\r\n", .responses = valid_responses1, .responses_count = N_ELEMENTS(valid_responses1) },{ .input = "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 13:02:27 GMT\r\n" "Server: Apache/2.2.16 (Debian)\r\n" "Last-Modified: Tue, 18 Sep 2012 19:31:41 GMT\r\n" "Etag: \"2a8400c-10751f-4c9fef0858140\"\r\n" "Accept-Ranges: bytes\r\n" "Content-Length: 33\r\n" "Keep-Alive: timeout=15, max=100\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/plain\r\n" "\r\n" "This is a piece of stupid text.\r\n" "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 13:02:27 GMT\r\n" "Server: Apache/2.2.16 (Debian)\r\n" "Last-Modified: Tue, 18 Sep 2012 19:31:41 GMT\r\n" "Etag: \"2a8400c-10751f-4c9fef0858140\"\r\n" "Accept-Ranges: bytes\r\n" "Content-Length: 43\r\n" "Keep-Alive: timeout=15, max=100\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/plain\r\n" "\r\n" "This is a piece of even more stupid text.\r\n", .responses = valid_responses2, .responses_count = N_ELEMENTS(valid_responses2) },{ .input = "HTTP/1.1 401 Authorization Required\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14\r\n" "WWW-Authenticate: Basic realm=\"Munin\"\r\n" "Vary: Accept-Encoding\r\n" "Content-Encoding: gzip\r\n" "Content-Length: 5\r\n" "Keep-Alive: timeout=15, max=99\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/html; charset=iso-8859-1\r\n" "\r\n" "Frop!", .responses = valid_responses3, .responses_count = N_ELEMENTS(valid_responses3) },{ .input = "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Ocu 2012 19:52:03 GMT\r\n" "Content-Length: 19\r\n" "Keep-Alive: timeout=15, max=99\r\n" "Connection: Keep-Alive\r\n" "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n" "\r\n" "Invalid date header", .responses = valid_responses4, .responses_count = N_ELEMENTS(valid_responses4) },{ .input = "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14\r\n" "Content-Length: 17\r\n" "Keep-Alive: timeout=15, max=99\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/html; charset=iso-8859-1\r\n" "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n" "\r\n" "Duplicate headers", .responses = valid_responses5, .responses_count = N_ELEMENTS(valid_responses5) } }; static const unsigned int valid_response_parse_test_count = N_ELEMENTS(valid_response_parse_tests); static void test_http_response_parse_valid(void) { unsigned int i; buffer_t *payload_buffer = buffer_create_dynamic(default_pool, 1024); for (i = 0; i < valid_response_parse_test_count; i++) T_BEGIN { struct istream *input; struct ostream *output; const struct valid_parse_test *test; const struct valid_parse_test_response *tresponse; struct http_response_parser *parser; struct http_response presponse; const char *input_text, *payload, *error; unsigned int j, pos, input_text_len; int ret = 0; i_zero(&presponse); test = &valid_response_parse_tests[i]; input_text = test->input; input_text_len = strlen(input_text); input = test_istream_create_data(input_text, input_text_len); parser = http_response_parser_init(input, NULL, valid_response_parse_tests[i].flags); test_begin(t_strdup_printf("http response valid [%d]", i)); payload = NULL; for (pos = 0; pos < input_text_len && ret == 0; pos++) { test_istream_set_size(input, pos); ret = http_response_parse_next(parser, HTTP_RESPONSE_PAYLOAD_TYPE_ALLOWED, &presponse, &error); } test_istream_set_size(input, input_text_len); i_stream_unref(&input); j = 0; test_out("parse success", ret > 0); while (ret > 0) { if (presponse.payload != NULL) { buffer_set_used_size(payload_buffer, 0); output = o_stream_create_buffer(payload_buffer); test_out("payload receive", o_stream_send_istream(output, presponse.payload)); o_stream_destroy(&output); payload = str_c(payload_buffer); } else { payload = NULL; } test_assert(j < test->responses_count); if (j >= test->responses_count) break; tresponse = &test->responses[j]; /* verify last response only */ test_out(t_strdup_printf("response->status = %d", tresponse->status), presponse.status == tresponse->status); if (payload == NULL || tresponse->payload == NULL) { test_out(t_strdup_printf("response->payload = %s", str_sanitize(payload, 80)), payload == tresponse->payload); } else { test_out(t_strdup_printf("response->payload = %s", str_sanitize(payload, 80)), strcmp(payload, tresponse->payload) == 0); } ret = http_response_parse_next(parser, HTTP_RESPONSE_PAYLOAD_TYPE_ALLOWED, &presponse, &error); if (++j == test->responses_count) test_out("parse end", ret == 0); else test_out("parse success", ret > 0); } test_assert(ret == 0); test_end(); http_response_parser_deinit(&parser); } T_END; buffer_free(&payload_buffer); } /* * Invalid response tests */ struct invalid_parse_test { const char *input; enum http_response_parse_flags flags; }; static struct invalid_parse_test invalid_response_parse_tests[] = { { .input = "XMPP/1.0 302 Found\r\n" "Location: http://www.example.nl/\r\n" "Cache-Control: private\r\n" },{ .input = "HTTP/1.1 302 Found\r\n" "Location: http://www.example.nl/\r\n" "Cache-Control: private\r\n" },{ .input = "HTTP/1.1 ABC Found\r\n" "Location: http://www.example.nl/\r\n" "Cache-Control: private\r\n" },{ .input = "HTTP/1.1 302 \177\r\n" "Location: http://www.example.nl/\r\n" "Cache-Control: private\r\n" },{ .input = "HTTP/1.1 302 Found\n\r" "Location: http://www.example.nl/\n\r" "Cache-Control: private\n\r" },{ .input = "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Ocu 2012 19:52:03 GMT\r\n" "Content-Length: 19\r\n" "Keep-Alive: timeout=15, max=99\r\n" "Connection: Keep-Alive\r\n" "\r\n" "Invalid date header", .flags = HTTP_RESPONSE_PARSE_FLAG_STRICT },{ .input = "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14\r\n" "Content-Length: 17\r\n" "Keep-Alive: timeout=15, max=99\r\n" "Connection: Keep-Alive\r\n" "Content-Type: text/html; charset=iso-8859-1\r\n" "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n" "\r\n" "Duplicate headers", .flags = HTTP_RESPONSE_PARSE_FLAG_STRICT } }; static const unsigned int invalid_response_parse_test_count = N_ELEMENTS(invalid_response_parse_tests); static void test_http_response_parse_invalid(void) { struct http_response_parser *parser; struct http_response response; const char *response_text, *error; struct istream *input; int ret; unsigned int i; for (i = 0; i < invalid_response_parse_test_count; i++) T_BEGIN { const char *test; test = invalid_response_parse_tests[i].input; response_text = test; input = i_stream_create_from_data(response_text, strlen(response_text)); parser = http_response_parser_init(input, NULL, invalid_response_parse_tests[i].flags); i_stream_unref(&input); test_begin(t_strdup_printf("http response invalid [%d]", i)); while ((ret=http_response_parse_next(parser, FALSE, &response, &error)) > 0); test_out_reason("parse failure", ret < 0, error); test_end(); http_response_parser_deinit(&parser); } T_END; } /* * Bad response tests */ static const unsigned char bad_response_with_nuls[] = "HTTP/1.1 200 OK\r\n" "Server: text\0server\r\n" "\r\n"; static void test_http_response_parse_bad(void) { struct http_response_parser *parser; struct http_response response; const char *header, *error; struct istream *input; int ret; /* parse failure guarantees http_response_header.size equals strlen(http_response_header.value) */ test_begin("http response with NULs (strict)"); input = i_stream_create_from_data(bad_response_with_nuls, sizeof(bad_response_with_nuls)-1); parser = http_response_parser_init(input, NULL, HTTP_RESPONSE_PARSE_FLAG_STRICT); i_stream_unref(&input); while ((ret=http_response_parse_next(parser, HTTP_RESPONSE_PAYLOAD_TYPE_ALLOWED, &response, &error)) > 0); test_assert(ret < 0); http_response_parser_deinit(&parser); test_end(); /* even when lenient, bad characters like NUL must not be returned */ test_begin("http response with NULs (lenient)"); input = i_stream_create_from_data(bad_response_with_nuls, sizeof(bad_response_with_nuls)-1); parser = http_response_parser_init(input, NULL, 0); i_stream_unref(&input); ret = http_response_parse_next(parser, HTTP_RESPONSE_PAYLOAD_TYPE_ALLOWED, &response, &error); test_out("parse success", ret > 0); header = http_response_header_get(&response, "server"); test_out("header present", header != NULL); if (header != NULL) { test_out(t_strdup_printf("header Server: %s", header), strcmp(header, "textserver") == 0); } ret = http_response_parse_next(parser, HTTP_RESPONSE_PAYLOAD_TYPE_ALLOWED, &response, &error); test_out("parse end", ret == 0); http_response_parser_deinit(&parser); test_end(); } int main(void) { static void (*test_functions[])(void) = { test_http_response_parse_valid, test_http_response_parse_invalid, test_http_response_parse_bad, NULL }; return test_run(test_functions); }