HTTP parser: restricting allowed characters in fields values.

According to RFC 7230 only printable 7-bit ASCII characters are allowed in field values.
2018-03-15 21:07:56 +03:00
parent 5a003df1fe
commit 3d2f85d9ca
2 changed files with 20 additions and 1 deletions
--- a/src/nxt_http_parse.c
+++ b/src/nxt_http_parse.c
@@ -679,7 +679,8 @@ nxt_http_lookup_field_end(u_char *p, u_char *end)

 #define nxt_field_end_test_char(ch)                                           \
                                                                              \
-        if (nxt_slow_path((ch) < 0x10)) {                                     \
+        /* Values below 0x20 become more than 0xdf. */                        \
+        if (nxt_slow_path((u_char) ((ch) - 0x20) > 0x5e)) {                   \
            return &(ch);                                                     \
        }

--- a/src/test/nxt_http_parse_test.c
+++ b/src/test/nxt_http_parse_test.c
@@ -280,6 +280,24 @@ static nxt_http_parse_test_case_t  nxt_http_test_cases[] = {
        NXT_HTTP_PARSE_INVALID,
        NULL, { NULL }
    },
+    {
+        nxt_string("GET / HTTP/1.1\r\n"
+                   "Host: exa\bmple.com\r\n\r\n"),
+        NXT_HTTP_PARSE_INVALID,
+        NULL, { NULL }
+    },
+    {
+        nxt_string("GET / HTTP/1.1\r\n"
+                   "Host: пример.испытание\r\n\r\n"),
+        NXT_HTTP_PARSE_INVALID,
+        NULL, { NULL }
+    },
+    {
+        nxt_string("GET / HTTP/1.1\r\n"
+                   "Host: xn--e1afmkfd.xn--80akhbyknj4f\r\n\r\n"),
+        NXT_DONE,
+        NULL, { NULL }
+    },
    {
        nxt_string("GET / HTTP/1.1\r\n"
                   "X-Unknown-Header: value\r\n"