From 3d2f85d9ca66aecaf1c46a818998a27f99f755e2 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Thu, 15 Mar 2018 21:07:56 +0300 Subject: [PATCH] HTTP parser: restricting allowed characters in fields values. According to RFC 7230 only printable 7-bit ASCII characters are allowed in field values. --- src/nxt_http_parse.c | 3 ++- src/test/nxt_http_parse_test.c | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c index f8249abb..95127569 100644 --- a/src/nxt_http_parse.c +++ b/src/nxt_http_parse.c @@ -679,7 +679,8 @@ nxt_http_lookup_field_end(u_char *p, u_char *end) #define nxt_field_end_test_char(ch) \ \ - if (nxt_slow_path((ch) < 0x10)) { \ + /* Values below 0x20 become more than 0xdf. */ \ + if (nxt_slow_path((u_char) ((ch) - 0x20) > 0x5e)) { \ return &(ch); \ } diff --git a/src/test/nxt_http_parse_test.c b/src/test/nxt_http_parse_test.c index d00fc1af..bc2e3a42 100644 --- a/src/test/nxt_http_parse_test.c +++ b/src/test/nxt_http_parse_test.c @@ -280,6 +280,24 @@ static nxt_http_parse_test_case_t nxt_http_test_cases[] = { NXT_HTTP_PARSE_INVALID, NULL, { NULL } }, + { + nxt_string("GET / HTTP/1.1\r\n" + "Host: exa\bmple.com\r\n\r\n"), + NXT_HTTP_PARSE_INVALID, + NULL, { NULL } + }, + { + nxt_string("GET / HTTP/1.1\r\n" + "Host: пример.испытание\r\n\r\n"), + NXT_HTTP_PARSE_INVALID, + NULL, { NULL } + }, + { + nxt_string("GET / HTTP/1.1\r\n" + "Host: xn--e1afmkfd.xn--80akhbyknj4f\r\n\r\n"), + NXT_DONE, + NULL, { NULL } + }, { nxt_string("GET / HTTP/1.1\r\n" "X-Unknown-Header: value\r\n"