Mercurial > dovecot > core-2.2
changeset 22481:658e239267b2
lib-http: message parser: Reject messages with invalid Date header when HTTP_MESSAGE_PARSE_FLAG_STRICT flag is enabled.
author | Stephan Bosch <stephan.bosch@dovecot.fi> |
---|---|
date | Thu, 27 Jul 2017 16:34:34 +0200 |
parents | 57b725e7920b |
children | c5387cdc3964 |
files | src/lib-http/http-message-parser.c src/lib-http/test-http-request-parser.c src/lib-http/test-http-response-parser.c |
diffstat | 3 files changed, 57 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-http/http-message-parser.c Thu Jul 27 16:30:20 2017 +0200 +++ b/src/lib-http/http-message-parser.c Thu Jul 27 16:34:34 2017 +0200 @@ -229,7 +229,12 @@ Date = HTTP-date */ - (void)http_date_parse(data, size, &parser->msg.date); + if (!http_date_parse(data, size, &parser->msg.date) && + (parser->flags & HTTP_MESSAGE_PARSE_FLAG_STRICT) != 0) { + parser->error = "Invalid Date header"; + parser->error_code = HTTP_MESSAGE_PARSE_ERROR_BROKEN_MESSAGE; + return -1; + } return 0; } break;
--- a/src/lib-http/test-http-request-parser.c Thu Jul 27 16:30:20 2017 +0200 +++ b/src/lib-http/test-http-request-parser.c Thu Jul 27 16:34:34 2017 +0200 @@ -139,6 +139,18 @@ .expect_100_continue = TRUE },{ .request = "GET / HTTP/1.1\r\n" + "Date: Mon, 09 Kul 2018 02:24:29 GMT\r\n" + "Host: example.com\r\n" + "\r\n", + .method = "GET", + .target_raw = "/", + .target = { + .format = HTTP_REQUEST_TARGET_FORMAT_ORIGIN, + .url = { .host_name = "example.com" } + }, + .version_major = 1, .version_minor = 1, + },{ .request = + "GET / HTTP/1.1\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Host: example.com\r\n" "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n" @@ -370,6 +382,14 @@ },{ .request = "GET / HTTP/1.1\r\n" + "Date: Mon, 09 Kul 2018 02:24:29 GMT\r\n" + "Host: example.com\r\n" + "\r\n", + .flags = HTTP_REQUEST_PARSE_FLAG_STRICT, + .error_code = HTTP_REQUEST_PARSE_ERROR_BROKEN_REQUEST + },{ + .request = + "GET / HTTP/1.1\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Host: example.com\r\n" "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n"
--- a/src/lib-http/test-http-response-parser.c Thu Jul 27 16:30:20 2017 +0200 +++ b/src/lib-http/test-http-response-parser.c Thu Jul 27 16:34:34 2017 +0200 @@ -56,6 +56,13 @@ static const struct valid_parse_test_response valid_responses4[] = { { .status = 200, + .payload = "Invalid date header" + } +}; + +static const struct valid_parse_test_response valid_responses5[] = { + { + .status = 200, .payload = "Duplicate headers" } }; @@ -124,6 +131,18 @@ },{ .input = "HTTP/1.1 200 OK\r\n" + "Date: Sun, 07 Ocu 2012 19:52:03 GMT\r\n" + "Content-Length: 19\r\n" + "Keep-Alive: timeout=15, max=99\r\n" + "Connection: Keep-Alive\r\n" + "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n" + "\r\n" + "Invalid date header", + .responses = valid_responses4, + .responses_count = N_ELEMENTS(valid_responses4) + },{ + .input = + "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14\r\n" "Content-Length: 17\r\n" @@ -133,8 +152,8 @@ "Date: Sun, 13 Oct 2013 13:13:13 GMT\r\n" "\r\n" "Duplicate headers", - .responses = valid_responses4, - .responses_count = N_ELEMENTS(valid_responses4) + .responses = valid_responses5, + .responses_count = N_ELEMENTS(valid_responses5) } }; @@ -263,6 +282,16 @@ },{ .input = "HTTP/1.1 200 OK\r\n" + "Date: Sun, 07 Ocu 2012 19:52:03 GMT\r\n" + "Content-Length: 19\r\n" + "Keep-Alive: timeout=15, max=99\r\n" + "Connection: Keep-Alive\r\n" + "\r\n" + "Invalid date header", + .flags = HTTP_RESPONSE_PARSE_FLAG_STRICT + },{ + .input = + "HTTP/1.1 200 OK\r\n" "Date: Sun, 07 Oct 2012 19:52:03 GMT\r\n" "Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14\r\n" "Content-Length: 17\r\n"