Overview

File 0813-erts-Do-not-allow-whitespace-in-http-header-at-all.patch of Package erlang

From 2407480445e6f8f34c886b1bdad2f38034e62a9f Mon Sep 17 00:00:00 2001
From: Lukas Larsson <lukas@erlang.org>
Date: Fri, 8 Nov 2019 13:31:48 +0100
Subject: [PATCH] erts: Do not allow whitespace in http header at all

In RFC 7230 headers must not include any whitespaces because
of security reasons. This change returns a http_error
when a header ends with a whitespace. i.e. The below is no longer
allowed:

    Host : localhost:8000
---
 erts/emulator/beam/packet_parser.c         |  3 ---
 erts/emulator/test/decode_packet_SUITE.erl | 12 +++++++++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/erts/emulator/beam/packet_parser.c b/erts/emulator/beam/packet_parser.c
index 4b526887b5..c0937aa5f2 100644
--- a/erts/emulator/beam/packet_parser.c
+++ b/erts/emulator/beam/packet_parser.c
@@ -816,9 +816,6 @@ int packet_parse_http(const char* buf, int len, int* statep,
             ptr++;
             if (--n == 0) return -1;
         }
-        while (n && SP(ptr)) { /* Skip white space before ':' */
-            ptr++; n--;
-        } 
         if (*ptr != ':') {
             return -1;
         }
diff --git a/erts/emulator/test/decode_packet_SUITE.erl b/erts/emulator/test/decode_packet_SUITE.erl
index ef13b515fb..d0f46167e4 100644
--- a/erts/emulator/test/decode_packet_SUITE.erl
+++ b/erts/emulator/test/decode_packet_SUITE.erl
@@ -330,6 +330,15 @@ http(Config) when is_list(Config) ->
     %% Response with empty phrase
     {ok,{http_response,{1,1},200,[]},<<>>} = decode_pkt(http, <<"HTTP/1.1 200\r\n">>, []),
     {ok,{http_response,{1,1},200,<<>>},<<>>} = decode_pkt(http_bin, <<"HTTP/1.1 200\r\n">>, []),
+
+
+    %% Test error cases
+    {ok,{http_error,"Host\t: localhost:8000\r\n"},<<"a">>} =
+        decode_pkt(httph, <<"Host\t: localhost:8000\r\na">>, []),
+    {ok,{http_error,"Host : localhost:8000\r\n"},<<"a">>} =
+        decode_pkt(httph, <<"Host : localhost:8000\r\na">>, []),
+    {ok,{http_error," : localhost:8000\r\n"},<<"a">>} =
+        decode_pkt(httph, <<" : localhost:8000\r\na">>, []),
     ok.
 
 http_with_bin(http) ->
@@ -366,9 +375,6 @@ http_request(Msg) ->
            {"Connection: close\r\n",
             {http_header,2,'Connection',undefined,  "close"},
             {http_header,2,'Connection',undefined,<<"close">>}},	 
-           {"Host\t : localhost:8000\r\n", % white space before :
-            {http_header,14,'Host',undefined,  "localhost:8000"},
-            {http_header,14,'Host',undefined,<<"localhost:8000">>}},
            {"User-Agent: perl post\r\n",
             {http_header,24,'User-Agent',undefined,  "perl post"},
             {http_header,24,'User-Agent',undefined,<<"perl post">>}},
-- 
2.16.4
openSUSE Build Service is sponsored by
Places