Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
squid.26147
SQUID-2019_10.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File SQUID-2019_10.patch of Package squid.26147
ported from: commit 671ba97abe929156dc4c717ee52ad22fba0f7443 Author: Amos Jeffries <yadij@users.noreply.github.com> Date: 2019-09-11 02:52:52 +0000 RFC 7230: server MUST reject messages with BWS after field-name (#445) Obey the RFC requirement to reject HTTP requests with whitespace between field-name and the colon delimiter. Rejection is critical in the presence of broken HTTP agents that mishandle malformed messages. Also obey requirement to always strip such whitespace from HTTP response messages. The relaxed parser is no longer necessary for this response change. For now non-HTTP protocols retain the old behaviour of removal only when using the relaxed parser. Index: squid-3.5.21/src/HttpHeader.cc =================================================================== --- squid-3.5.21.orig/src/HttpHeader.cc +++ squid-3.5.21/src/HttpHeader.cc @@ -681,14 +681,11 @@ HttpHeader::parse(const char *header_sta break; /* terminating blank line */ } - if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) { + if ((e = HttpHeaderEntry::parse(field_start, field_end, owner)) == NULL) { debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" << getStringPrefix(field_start, field_end) << "}"); debugs(55, warnOnError, " in {" << getStringPrefix(header_start, header_end) << "}"); - if (Config.onoff.relaxed_header_parser) - continue; - PROF_stop(HttpHeaderParse); return reset(); } @@ -1625,7 +1622,7 @@ HttpHeaderEntry::~HttpHeaderEntry() /* parses and inits header entry, returns true/false */ HttpHeaderEntry * -HttpHeaderEntry::parse(const char *field_start, const char *field_end) +HttpHeaderEntry::parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType) { /* note: name_start == field_start */ const char *name_end = (const char *)memchr(field_start, ':', field_end - field_start); @@ -1642,19 +1639,42 @@ HttpHeaderEntry::parse(const char *field if (name_len > 65534) { /* String must be LESS THAN 64K and it adds a terminating NULL */ - debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes"); + // TODO: update this to show proper name_len in Raw markup, but not print all that + debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)"); return NULL; } - if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) { + /* + * RFC 7230 section 3.2.4: + * "No whitespace is allowed between the header field-name and colon. + * ... + * A server MUST reject any received request message that contains + * whitespace between a header field-name and colon with a response code + * of 400 (Bad Request). A proxy MUST remove any such whitespace from a + * response message before forwarding the message downstream." + */ + if (xisspace(field_start[name_len - 1])) { + + if (msgType == hoRequest) + return nullptr; + + // for now, also let relaxed parser remove this BWS from any non-HTTP messages + const bool stripWhitespace = (msgType == hoReply) || + Config.onoff.relaxed_header_parser; + if (!stripWhitespace) + return nullptr; // reject if we cannot strip + + debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2, "NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end) << "'"); while (name_len > 0 && xisspace(field_start[name_len - 1])) --name_len; - if (!name_len) + if (!name_len) { + debugs(55, 2, "found header with only whitespace for name"); return NULL; + } } /* now we know we can parse it */ @@ -1688,11 +1708,7 @@ HttpHeaderEntry::parse(const char *field if (field_end - value_start > 65534) { /* String must be LESS THAN 64K and it adds a terminating NULL */ - debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes"); - - if (id == HDR_OTHER) - name.clean(); - + debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes"); return NULL; } Index: squid-3.5.21/src/HttpHeader.h =================================================================== --- squid-3.5.21.orig/src/HttpHeader.h +++ squid-3.5.21/src/HttpHeader.h @@ -187,7 +187,7 @@ class HttpHeaderEntry public: HttpHeaderEntry(http_hdr_type id, const char *name, const char *value); ~HttpHeaderEntry(); - static HttpHeaderEntry *parse(const char *field_start, const char *field_end); + static HttpHeaderEntry *parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType); HttpHeaderEntry *clone() const; void packInto(Packer *p) const; int getInt() const;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor