diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2018-03-15 21:07:56 +0300 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2018-03-15 21:07:56 +0300 |
| commit | 3d2f85d9ca66aecaf1c46a818998a27f99f755e2 (patch) | |
| tree | e1afdc588ab1d5d1428893d6baaf5aa407097f1f /src | |
| parent | 5a003df1fedc45ba091e947a9d7b7f2351d6edb6 (diff) | |
| download | unit-3d2f85d9ca66aecaf1c46a818998a27f99f755e2.tar.gz unit-3d2f85d9ca66aecaf1c46a818998a27f99f755e2.tar.bz2 | |
HTTP parser: restricting allowed characters in fields values.
According to RFC 7230 only printable 7-bit ASCII characters are allowed
in field values.
Diffstat (limited to 'src')
| -rw-r--r-- | src/nxt_http_parse.c | 3 | ||||
| -rw-r--r-- | src/test/nxt_http_parse_test.c | 18 |
2 files changed, 20 insertions, 1 deletions
diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c index f8249abb..95127569 100644 --- a/src/nxt_http_parse.c +++ b/src/nxt_http_parse.c @@ -679,7 +679,8 @@ nxt_http_lookup_field_end(u_char *p, u_char *end) #define nxt_field_end_test_char(ch) \ \ - if (nxt_slow_path((ch) < 0x10)) { \ + /* Values below 0x20 become more than 0xdf. */ \ + if (nxt_slow_path((u_char) ((ch) - 0x20) > 0x5e)) { \ return &(ch); \ } diff --git a/src/test/nxt_http_parse_test.c b/src/test/nxt_http_parse_test.c index d00fc1af..bc2e3a42 100644 --- a/src/test/nxt_http_parse_test.c +++ b/src/test/nxt_http_parse_test.c @@ -282,6 +282,24 @@ static nxt_http_parse_test_case_t nxt_http_test_cases[] = { }, { nxt_string("GET / HTTP/1.1\r\n" + "Host: exa\bmple.com\r\n\r\n"), + NXT_HTTP_PARSE_INVALID, + NULL, { NULL } + }, + { + nxt_string("GET / HTTP/1.1\r\n" + "Host: пример.испытание\r\n\r\n"), + NXT_HTTP_PARSE_INVALID, + NULL, { NULL } + }, + { + nxt_string("GET / HTTP/1.1\r\n" + "Host: xn--e1afmkfd.xn--80akhbyknj4f\r\n\r\n"), + NXT_DONE, + NULL, { NULL } + }, + { + nxt_string("GET / HTTP/1.1\r\n" "X-Unknown-Header: value\r\n" "X-Good-Header: value\r\n\r\n"), NXT_DONE, |