From 0340b69ef4161a1630f93e8a838c47cb8afe24d9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Apr 2020 04:49:56 -0400 Subject: [PATCH] import http-parser-2.8.0-9.el8 --- .gitignore | 1 + .http-parser.metadata | 1 + SOURCES/CVE-2018-12121.patch | 82 ++++ SOURCES/CVE-2018-7159.patch | 121 +++++ ...VE-2019-15605-HTTP-request-smuggling.patch | 450 ++++++++++++++++++ ...ve-unused-functions-from-test-runner.patch | 64 +++ SPECS/http-parser.spec | 208 ++++++++ 7 files changed, 927 insertions(+) create mode 100644 .gitignore create mode 100644 .http-parser.metadata create mode 100644 SOURCES/CVE-2018-12121.patch create mode 100644 SOURCES/CVE-2018-7159.patch create mode 100644 SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch create mode 100644 SOURCES/remove-unused-functions-from-test-runner.patch create mode 100644 SPECS/http-parser.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ee2cd04 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/http-parser-2.8.0.tar.gz diff --git a/.http-parser.metadata b/.http-parser.metadata new file mode 100644 index 0000000..b4c812c --- /dev/null +++ b/.http-parser.metadata @@ -0,0 +1 @@ +deb0ce507a267a592e0f70dee45c62ce53b6a1a6 SOURCES/http-parser-2.8.0.tar.gz diff --git a/SOURCES/CVE-2018-12121.patch b/SOURCES/CVE-2018-12121.patch new file mode 100644 index 0000000..584fbe6 --- /dev/null +++ b/SOURCES/CVE-2018-12121.patch @@ -0,0 +1,82 @@ +From 05da7fb51cda374ae351829f67018924f931f18b Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 18 Feb 2020 09:10:18 -0300 +Subject: [PATCH] CVE-2018-12121 + +--- + http_parser.c | 15 +++++++++++---- + http_parser.h | 3 +++ + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/http_parser.c b/http_parser.c +index f9991c3..aef4437 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -25,6 +25,8 @@ + #include + #include + ++static uint32_t max_header_size = HTTP_MAX_HEADER_SIZE; ++ + #ifndef ULLONG_MAX + # define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */ + #endif +@@ -137,20 +139,20 @@ do { \ + } while (0) + + /* Don't allow the total size of the HTTP headers (including the status +- * line) to exceed HTTP_MAX_HEADER_SIZE. This check is here to protect ++ * line) to exceed max_header_size. This check is here to protect + * embedders against denial-of-service attacks where the attacker feeds + * us a never-ending header that the embedder keeps buffering. + * + * This check is arguably the responsibility of embedders but we're doing + * it on the embedder's behalf because most won't bother and this way we +- * make the web a little safer. HTTP_MAX_HEADER_SIZE is still far bigger ++ * make the web a little safer. max_header_size is still far bigger + * than any reasonable request or response so this should never affect + * day-to-day operation. + */ + #define COUNT_HEADER_SIZE(V) \ + do { \ + parser->nread += (V); \ +- if (UNLIKELY(parser->nread > (HTTP_MAX_HEADER_SIZE))) { \ ++ if (UNLIKELY(parser->nread > (max_header_size))) { \ + SET_ERRNO(HPE_HEADER_OVERFLOW); \ + goto error; \ + } \ +@@ -1471,7 +1473,7 @@ reexecute: + const char* p_lf; + size_t limit = data + len - p; + +- limit = MIN(limit, HTTP_MAX_HEADER_SIZE); ++ limit = MIN(limit, max_header_size); + + p_cr = (const char*) memchr(p, CR, limit); + p_lf = (const char*) memchr(p, LF, limit); +@@ -2438,3 +2440,8 @@ http_parser_version(void) { + HTTP_PARSER_VERSION_MINOR * 0x00100 | + HTTP_PARSER_VERSION_PATCH * 0x00001; + } ++ ++void ++http_parser_set_max_header_size(uint32_t size) { ++ max_header_size = size; ++} +diff --git a/http_parser.h b/http_parser.h +index 1fbf30e..ea7bafe 100644 +--- a/http_parser.h ++++ b/http_parser.h +@@ -427,6 +427,9 @@ void http_parser_pause(http_parser *parser, int paused); + /* Checks if this is the final chunk of the body. */ + int http_body_is_final(const http_parser *parser); + ++/* Change the maximum header size provided at compile time. */ ++void http_parser_set_max_header_size(uint32_t size); ++ + #ifdef __cplusplus + } + #endif +-- +2.18.2 + diff --git a/SOURCES/CVE-2018-7159.patch b/SOURCES/CVE-2018-7159.patch new file mode 100644 index 0000000..ee94f15 --- /dev/null +++ b/SOURCES/CVE-2018-7159.patch @@ -0,0 +1,121 @@ +From 5756942f51426a24add619377da15b18ecae91ef Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis +Date: Tue, 27 Mar 2018 16:45:33 +0200 +Subject: [PATCH] deps: reject interior blanks in Content-Length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original commit message follows: + + Before this commit `Content-Length: 4 2` was accepted as a valid + header and recorded as `parser->content_length = 42`. Now it is + a parse error that fails with error `HPE_INVALID_CONTENT_LENGTH`. + + Downstream users that inspect `parser->content_length` and naively + parse the string value using `strtoul()` might get confused by the + discrepancy between the two values. Resolve that by simply not + letting it happen. + +Fixes: https://github.com/nodejs-private/security/issues/178 +PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1 +Reviewed-By: Сковорода Никита Андреевич +Reviewed-By: Colin Ihrig +Reviewed-By: Evan Lucas +Reviewed-By: Fedor Indutny +Reviewed-By: James M Snell +Reviewed-By: Rod Vagg +--- + http_parser.c | 19 ++++++++++++++++++- + test.c | 21 +++++++++++++++++++++ + 2 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/http_parser.c b/http_parser.c +index 5b5657b..f9991c3 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -370,6 +370,8 @@ enum header_states + + , h_connection + , h_content_length ++ , h_content_length_num ++ , h_content_length_ws + , h_transfer_encoding + , h_upgrade + +@@ -1406,6 +1408,7 @@ reexecute: + + parser->flags |= F_CONTENTLENGTH; + parser->content_length = ch - '0'; ++ parser->header_state = h_content_length_num; + break; + + case h_connection: +@@ -1493,10 +1496,18 @@ reexecute: + break; + + case h_content_length: ++ if (ch == ' ') break; ++ h_state = h_content_length_num; ++ /* FALLTHROUGH */ ++ ++ case h_content_length_num: + { + uint64_t t; + +- if (ch == ' ') break; ++ if (ch == ' ') { ++ h_state = h_content_length_ws; ++ break; ++ } + + if (UNLIKELY(!IS_NUM(ch))) { + SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); +@@ -1519,6 +1530,12 @@ reexecute: + break; + } + ++ case h_content_length_ws: ++ if (ch == ' ') break; ++ SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); ++ parser->header_state = h_state; ++ goto error; ++ + /* Transfer-Encoding: chunked */ + case h_matching_transfer_encoding_chunked: + parser->index++; +diff --git a/test.c b/test.c +index bc4e664..cb445ce 100644 +--- a/test.c ++++ b/test.c +@@ -4168,6 +4168,27 @@ main (void) + test_invalid_header_field_token_error(HTTP_RESPONSE); + test_invalid_header_field_content_error(HTTP_RESPONSE); + ++ test_simple_type( ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: 42 \r\n" // Note the surrounding whitespace. ++ "\r\n", ++ HPE_OK, ++ HTTP_REQUEST); ++ ++ test_simple_type( ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: 4 2\r\n" ++ "\r\n", ++ HPE_INVALID_CONTENT_LENGTH, ++ HTTP_REQUEST); ++ ++ test_simple_type( ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: 13 37\r\n" ++ "\r\n", ++ HPE_INVALID_CONTENT_LENGTH, ++ HTTP_REQUEST); ++ + //// RESPONSES + + test_simple_type("HTP/1.1 200 OK\r\n\r\n", HPE_INVALID_VERSION, HTTP_RESPONSE); +-- +2.18.2 + diff --git a/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch b/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch new file mode 100644 index 0000000..8ac24b7 --- /dev/null +++ b/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch @@ -0,0 +1,450 @@ +From b41d69bedcdbb8fe0cd790d0bcccbb457d6170d3 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Wed, 26 Feb 2020 17:03:26 -0300 +Subject: [PATCH] CVE-2019-15605 - HTTP request smuggling + +Upstream: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b + +Support multi-coding Transfer-Encoding + +`Transfer-Encoding` header might have multiple codings in it. Even +though llhttp cares only about `chunked`, it must check that `chunked` +is the last coding (if present). + +ABNF from RFC 7230: + +``` +Transfer-Encoding = *( "," OWS ) transfer-coding *( OWS "," [ OWS + transfer-coding ] ) +transfer-coding = "chunked" / "compress" / "deflate" / "gzip" / + transfer-extension + transfer-extension = token *( OWS ";" OWS transfer-parameter ) + transfer-parameter = token BWS "=" BWS ( token / quoted-string ) +``` + +However, if `chunked` is not last - llhttp must assume that the encoding +and size of the body is unknown (according to 3.3.3 of RFC 7230) and +read the response until EOF. For request - the error must be raised for +an unknown `Transfer-Encoding`. + +Furthermore, 3.3.3 of RFC 7230 explicitly states that presence of both +`Transfer-Encoding` and `Content-Length` indicates the smuggling attack +and "ought to be handled as an error". + +For the lenient mode: + +* Unknown `Transfer-Encoding` in requests is not an error and request + body is simply read until EOF (end of connection) +* Only `Transfer-Encoding: chunked` together with `Content-Length` would + result an error (just like before the patch) + +PR-URL: nodejs-private/http-parser-private#4 +Reviewed-By: Matteo Collina +Reviewed-By: Sam Roberts +Reviewed-By: James M Snell +--- + http_parser.c | 110 ++++++++++++++++++++++++++++++++++++++++++++------ + http_parser.h | 8 ++-- + test.c | 90 +++++++++++++++++++++++++++++++++++++++-- + 3 files changed, 189 insertions(+), 19 deletions(-) + +diff --git a/http_parser.c b/http_parser.c +index aef4437..cd120d8 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -176,6 +176,22 @@ static const char *method_strings[] = + #undef XX + }; + ++/* Added for handling CVE-2019-15605. */ ++static void reset_flags(http_parser* p) ++{ ++ p->flags = 0; ++ p->transfer_encoding = 0; ++} ++ ++static void set_transfer_encoding(http_parser* p) ++{ ++ p->transfer_encoding = 1; ++} ++ ++static int is_transfer_encoding(const http_parser* p) ++{ ++ return p->transfer_encoding; ++} + + /* Tokens as defined by rfc 2616. Also lowercases them. + * token = 1* +@@ -378,6 +394,7 @@ enum header_states + , h_upgrade + + , h_matching_transfer_encoding_chunked ++ + , h_matching_connection_token_start + , h_matching_connection_keep_alive + , h_matching_connection_close +@@ -388,6 +405,10 @@ enum header_states + , h_connection_keep_alive + , h_connection_close + , h_connection_upgrade ++ ++ /* CVE-2019-15605 */ ++ , h_matching_transfer_encoding_token_start ++ , h_matching_transfer_encoding_token + }; + + enum http_host_state +@@ -722,7 +743,7 @@ reexecute: + { + if (ch == CR || ch == LF) + break; +- parser->flags = 0; ++ reset_flags(parser); + parser->content_length = ULLONG_MAX; + + if (ch == 'H') { +@@ -757,7 +778,7 @@ reexecute: + + case s_start_res: + { +- parser->flags = 0; ++ reset_flags(parser); + parser->content_length = ULLONG_MAX; + + switch (ch) { +@@ -921,7 +942,7 @@ reexecute: + { + if (ch == CR || ch == LF) + break; +- parser->flags = 0; ++ reset_flags(parser); + parser->content_length = ULLONG_MAX; + + if (UNLIKELY(!IS_ALPHA(ch))) { +@@ -1313,6 +1334,7 @@ reexecute: + parser->header_state = h_general; + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; ++ set_transfer_encoding(parser); + } + break; + +@@ -1393,10 +1415,14 @@ reexecute: + if ('c' == c) { + parser->header_state = h_matching_transfer_encoding_chunked; + } else { +- parser->header_state = h_general; ++ parser->header_state = h_matching_transfer_encoding_token; + } + break; + ++ /* Multi-value `Transfer-Encoding` header */ ++ case h_matching_transfer_encoding_token_start: ++ break; ++ + case h_content_length: + if (UNLIKELY(!IS_NUM(ch))) { + SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); +@@ -1539,16 +1565,41 @@ reexecute: + goto error; + + /* Transfer-Encoding: chunked */ ++ case h_matching_transfer_encoding_token_start: ++ /* looking for 'Transfer-Encoding: chunked' */ ++ if ('c' == c) { ++ h_state = h_matching_transfer_encoding_chunked; ++ } else if (STRICT_TOKEN(c)) { ++ /* TODO(indutny): similar code below does this, but why? ++ * At the very least it seems to be inconsistent given that ++ * h_matching_transfer_encoding_token does not check for ++ * `STRICT_TOKEN` ++ */ ++ h_state = h_matching_transfer_encoding_token; ++ } else if (c == ' ' || c == '\t') { ++ /* Skip lws */ ++ } else { ++ h_state = h_general; ++ } ++ break; ++ + case h_matching_transfer_encoding_chunked: + parser->index++; + if (parser->index > sizeof(CHUNKED)-1 + || c != CHUNKED[parser->index]) { +- h_state = h_general; ++ h_state = h_matching_transfer_encoding_token; + } else if (parser->index == sizeof(CHUNKED)-2) { + h_state = h_transfer_encoding_chunked; + } + break; + ++ case h_matching_transfer_encoding_token: ++ if (ch == ',') { ++ h_state = h_matching_transfer_encoding_token_start; ++ parser->index = 0; ++ } ++ break; ++ + case h_matching_connection_token_start: + /* looking for 'Connection: keep-alive' */ + if (c == 'k') { +@@ -1607,7 +1658,7 @@ reexecute: + break; + + case h_transfer_encoding_chunked: +- if (ch != ' ') h_state = h_general; ++ if (ch != ' ') h_state = h_matching_transfer_encoding_token; + break; + + case h_connection_keep_alive: +@@ -1732,12 +1783,17 @@ reexecute: + REEXECUTE(); + } + +- /* Cannot use chunked encoding and a content-length header together +- per the HTTP specification. */ +- if ((parser->flags & F_CHUNKED) && ++ /* Cannot use transfer-encoding and a content-length header together ++ per the HTTP specification. (RFC 7230 Section 3.3.3) */ ++ if ((is_transfer_encoding(parser)) && + (parser->flags & F_CONTENTLENGTH)) { +- SET_ERRNO(HPE_UNEXPECTED_CONTENT_LENGTH); +- goto error; ++ /* Allow it for lenient parsing as long as `Transfer-Encoding` is ++ * not `chunked` ++ */ ++ if (!lenient || (parser->flags & F_CHUNKED)) { ++ SET_ERRNO(HPE_UNEXPECTED_CONTENT_LENGTH); ++ goto error; ++ } + } + + UPDATE_STATE(s_headers_done); +@@ -1811,8 +1867,31 @@ reexecute: + UPDATE_STATE(NEW_MESSAGE()); + CALLBACK_NOTIFY(message_complete); + } else if (parser->flags & F_CHUNKED) { +- /* chunked encoding - ignore Content-Length header */ ++ /* chunked encoding - ignore Content-Length header, ++ * prepare for a chunk */ + UPDATE_STATE(s_chunk_size_start); ++ } else if (is_transfer_encoding(parser)) { ++ if (parser->type == HTTP_REQUEST && !lenient) { ++ /* RFC 7230 3.3.3 */ ++ ++ /* If a Transfer-Encoding header field ++ * is present in a request and the chunked transfer coding is not ++ * the final encoding, the message body length cannot be determined ++ * reliably; the server MUST respond with the 400 (Bad Request) ++ * status code and then close the connection. ++ */ ++ SET_ERRNO(HPE_INVALID_TRANSFER_ENCODING); ++ RETURN(p - data); /* Error */ ++ } else { ++ /* RFC 7230 3.3.3 */ ++ ++ /* If a Transfer-Encoding header field is present in a response and ++ * the chunked transfer coding is not the final encoding, the ++ * message body length is determined by reading the connection until ++ * it is closed by the server. ++ */ ++ UPDATE_STATE(s_body_identity_eof); ++ } + } else { + if (parser->content_length == 0) { + /* Content-Length header given but zero: Content-Length: 0\r\n */ +@@ -2064,6 +2143,12 @@ http_message_needs_eof (const http_parser *parser) + return 0; + } + ++ /* RFC 7230 3.3.3, see `s_headers_almost_done` */ ++ if ((is_transfer_encoding(parser)) && ++ (parser->flags & F_CHUNKED) == 0) { ++ return 1; ++ } ++ + if ((parser->flags & F_CHUNKED) || parser->content_length != ULLONG_MAX) { + return 0; + } +@@ -2107,6 +2192,7 @@ http_parser_init (http_parser *parser, enum http_parser_type t) + parser->type = t; + parser->state = (t == HTTP_REQUEST ? s_start_req : (t == HTTP_RESPONSE ? s_start_res : s_start_req_or_res)); + parser->http_errno = HPE_OK; ++ reset_flags(parser); + } + + void +diff --git a/http_parser.h b/http_parser.h +index ea7bafe..a4841be 100644 +--- a/http_parser.h ++++ b/http_parser.h +@@ -275,8 +275,9 @@ enum flags + XX(INVALID_INTERNAL_STATE, "encountered unexpected internal state")\ + XX(STRICT, "strict mode assertion failed") \ + XX(PAUSED, "parser is paused") \ +- XX(UNKNOWN, "an unknown error occurred") +- ++ XX(UNKNOWN, "an unknown error occurred") \ ++ XX(INVALID_TRANSFER_ENCODING, \ ++ "request has invalid transfer-encoding") + + /* Define HPE_* values for each errno value above */ + #define HTTP_ERRNO_GEN(n, s) HPE_##n, +@@ -293,7 +294,7 @@ enum http_errno { + struct http_parser { + /** PRIVATE **/ + unsigned int type : 2; /* enum http_parser_type */ +- unsigned int flags : 8; /* F_* values from 'flags' enum; semi-public */ ++ unsigned int flags : 8; /* F_* values from 'flags' enum; semi-public */ + unsigned int state : 7; /* enum state from http_parser.c */ + unsigned int header_state : 7; /* enum header_state from http_parser.c */ + unsigned int index : 7; /* index into current matcher */ +@@ -318,6 +319,7 @@ struct http_parser { + + /** PUBLIC **/ + void *data; /* A pointer to get hook to the "connection" or "socket" object */ ++ unsigned int transfer_encoding : 8; /* CVE-2019-15605 */ + }; + + +diff --git a/test.c b/test.c +index a1fa0d3..bb83d14 100644 +--- a/test.c ++++ b/test.c +@@ -260,7 +260,6 @@ const struct message requests[] = + ,.type= HTTP_REQUEST + ,.raw= "POST /post_identity_body_world?q=search#hey HTTP/1.1\r\n" + "Accept: */*\r\n" +- "Transfer-Encoding: identity\r\n" + "Content-Length: 5\r\n" + "\r\n" + "World" +@@ -273,10 +272,9 @@ const struct message requests[] = + ,.fragment= "hey" + ,.request_path= "/post_identity_body_world" + ,.request_url= "/post_identity_body_world?q=search#hey" +- ,.num_headers= 3 ++ ,.num_headers= 2 + ,.headers= + { { "Accept", "*/*" } +- , { "Transfer-Encoding", "identity" } + , { "Content-Length", "5" } + } + ,.body= "World" +@@ -1172,6 +1170,61 @@ const struct message requests[] = + ,.body= "" + } + ++#define POST_MULTI_TE_LAST_CHUNKED 43 ++, {.name= "post - multi coding transfer-encoding chunked body" ++ ,.type= HTTP_REQUEST ++ ,.raw= "POST / HTTP/1.1\r\n" ++ "Transfer-Encoding: deflate, chunked\r\n" ++ "\r\n" ++ "1e\r\nall your base are belong to us\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= TRUE ++ ,.message_complete_on_eof= FALSE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.method= HTTP_POST ++ ,.query_string= "" ++ ,.fragment= "" ++ ,.request_path= "/" ++ ,.request_url= "/" ++ ,.num_headers= 1 ++ ,.headers= ++ { { "Transfer-Encoding" , "deflate, chunked" } ++ } ++ ,.body= "all your base are belong to us" ++ ,.num_chunks_complete= 2 ++ ,.chunk_lengths= { 0x1e } ++ } ++ ++#define POST_MULTI_LINE_TE_LAST_CHUNKED 43 ++, {.name= "post - multi coding transfer-encoding chunked body" ++ ,.type= HTTP_REQUEST ++ ,.raw= "POST / HTTP/1.1\r\n" ++ "Transfer-Encoding: deflate,\r\n" ++ " chunked\r\n" ++ "\r\n" ++ "1e\r\nall your base are belong to us\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= TRUE ++ ,.message_complete_on_eof= FALSE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.method= HTTP_POST ++ ,.query_string= "" ++ ,.fragment= "" ++ ,.request_path= "/" ++ ,.request_url= "/" ++ ,.num_headers= 1 ++ ,.headers= ++ { { "Transfer-Encoding" , "deflate, chunked" } ++ } ++ ,.body= "all your base are belong to us" ++ ,.num_chunks_complete= 2 ++ ,.chunk_lengths= { 0x1e } ++ } ++ + , {.name= NULL } /* sentinel */ + }; + +@@ -1951,6 +2004,29 @@ const struct message responses[] = + ,.chunk_lengths= { 2, 2 } + } + ++#define HTTP_200_MULTI_TE_NOT_LAST_CHUNKED 28 ++, {.name= "HTTP 200 response with `chunked` being *not last* Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked, identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.num_headers= 1 ++ ,.headers= { { "Transfer-Encoding", "chunked, identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } ++ + , {.name= NULL } /* sentinel */ + }; + +@@ -3629,7 +3705,7 @@ test_chunked_content_length_error (int req) + parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); + assert(parsed == strlen(buf)); + +- buf = "Transfer-Encoding: chunked\r\nContent-Length: 1\r\n\r\n"; ++ buf = "Transfer-Encoding: anything\r\nContent-Length: 1\r\n\r\n"; + size_t buflen = strlen(buf); + + parsed = http_parser_execute(&parser, &settings_null, buf, buflen); +@@ -4277,6 +4353,12 @@ main (void) + "fooba", + HPE_OK); + ++ // Unknown Transfer-Encoding in request ++ test_simple("GET / HTTP/1.1\r\n" ++ "Transfer-Encoding: unknown\r\n" ++ "\r\n", ++ HPE_INVALID_TRANSFER_ENCODING); ++ + static const char *all_methods[] = { + "DELETE", + "GET", +-- +2.18.2 + diff --git a/SOURCES/remove-unused-functions-from-test-runner.patch b/SOURCES/remove-unused-functions-from-test-runner.patch new file mode 100644 index 0000000..690fcbf --- /dev/null +++ b/SOURCES/remove-unused-functions-from-test-runner.patch @@ -0,0 +1,64 @@ +From d22c4c1e3ab9ffe5faaa08bacd993c814ca1c92e Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 18 Feb 2020 09:11:05 -0300 +Subject: [PATCH] Remove unused functions from test runner. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream: 705e519bf56e5904c761a411b38a66e84bf7fc2d + +PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1 +Reviewed-By: Сковорода Никита Андреевич +Reviewed-By: Colin Ihrig +Reviewed-By: Evan Lucas +Reviewed-By: Fedor Indutny +Reviewed-By: James M Snell +Reviewed-By: Rod Vagg +--- + test.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/test.c b/test.c +index cb445ce..a1fa0d3 100644 +--- a/test.c ++++ b/test.c +@@ -27,9 +27,7 @@ + #include + + #if defined(__APPLE__) +-# undef strlcat + # undef strlncpy +-# undef strlcpy + #endif /* defined(__APPLE__) */ + + #undef TRUE +@@ -1993,12 +1991,6 @@ strlncat(char *dst, size_t len, const char *src, size_t n) + return slen + dlen; + } + +-size_t +-strlcat(char *dst, const char *src, size_t len) +-{ +- return strlncat(dst, len, src, (size_t) -1); +-} +- + size_t + strlncpy(char *dst, size_t len, const char *src, size_t n) + { +@@ -2017,12 +2009,6 @@ strlncpy(char *dst, size_t len, const char *src, size_t n) + return slen; + } + +-size_t +-strlcpy(char *dst, const char *src, size_t len) +-{ +- return strlncpy(dst, len, src, (size_t) -1); +-} +- + int + request_url_cb (http_parser *p, const char *buf, size_t len) + { +-- +2.18.2 + diff --git a/SPECS/http-parser.spec b/SPECS/http-parser.spec new file mode 100644 index 0000000..506e968 --- /dev/null +++ b/SPECS/http-parser.spec @@ -0,0 +1,208 @@ +%bcond_without check + +Name: http-parser +Version: 2.8.0 +Release: 9%{?dist} +Summary: HTTP request/response parser for C + +License: MIT +URL: https://github.com/nodejs/http-parser +Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz + +BuildRequires: meson +BuildRequires: gcc + +Patch01: CVE-2018-7159.patch +Patch02: CVE-2018-12121.patch +Patch03: remove-unused-functions-from-test-runner.patch +Patch04: CVE-2019-15605-HTTP-request-smuggling.patch + +%description +This is a parser for HTTP messages written in C. It parses both requests and +responses. The parser is designed to be used in performance HTTP applications. +It does not make any syscalls nor allocations, it does not buffer data, it can +be interrupted at anytime. Depending on your architecture, it only requires +about 40 bytes of data per message stream (in a web server that is per +connection). + +%package devel +Summary: Development headers and libraries for http-parser +Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +Development headers and libraries for http-parser. + +%prep +%autosetup -p1 + +# TODO: try to send upstream? +cat > meson.build << EOF +project('%{name}', 'c', version : '%{version}') +install_headers('http_parser.h') +foreach x : [['http_parser', ['-DHTTP_PARSER_STRICT=0']], + ['http_parser_strict', ['-DHTTP_PARSER_STRICT=1']]] + lib = library(x.get(0), 'http_parser.c', + c_args : x.get(1), + version : '%{version}', + install : true) + test('test-@0@'.format(x.get(0)), + executable('test-@0@'.format(x.get(0)), 'test.c', + c_args : x.get(1), + link_with : lib), + timeout : 60) +endforeach +EOF + +%build +%meson +%meson_build + +%install +%meson_install + +%if %{with check} +%check +%meson_test +%endif + +%ldconfig_scriptlets + +%files +%license LICENSE-MIT +%doc AUTHORS README.md +%{_libdir}/libhttp_parser.so.* +%{_libdir}/libhttp_parser_strict.so.* + +%files devel +%{_includedir}/http_parser.h +%{_libdir}/libhttp_parser.so +%{_libdir}/libhttp_parser_strict.so + +%changelog +* Wed Feb 26 2020 Sergio Correia - 2.8.0-9 +- Do not break ABI with CVE-2019-15605 fix + +* Wed Feb 19 2020 Sergio Correia - 2.8.0-8 +- Update gating tests due to CVE-2019-15605 + +* Tue Feb 18 2020 Sergio Corrreia - 2.8.0-7 +- Resolves: CVE-2019-15605 http-parser: nodejs: HTTP request + smuggling using malformed Transfer-Encoding header + +* Tue Oct 29 2019 Sergio Correia - 2.8.0-6 +- Provide -devel package + Resolves: rhbz#1748765: http-parser-devel package not available in CRB + +* Mon Aug 12 2019 Sergio Correia - 2.8.0-5 +- Resolves: rhbz#1686488: 'make test' fails with stringop-overflow error + +* Thu Aug 08 2019 Sergio Correia - 2.8.0-4 +- Resolves: rhbz#1666382: CVE-2018-12121 http-parser: nodejs: Denial of + Service with large HTTP headers [rhel-8] + +* Thu Apr 11 2019 Daniel Kopecek - 2.8.0-3 +- spec: make the check phase conditional + +* Mon Dec 3 2018 Jakub Hrozek - 2.8.0-2 +- Resolves: #rhbz1654223: CVE-2018-7159 http-parser: nodejs: HTTP parser + allowed for spaces inside Content-Length header + values [rhel-8] + +* Sat Feb 10 2018 Igor Gnatenko - 2.8.0-1 +- Update to 2.8.0 +- Switch to meson buildsystem + +* Wed Feb 07 2018 Fedora Release Engineering - 2.7.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 2.7.1-8 +- Switch to %%ldconfig_scriptlets + +* Wed Aug 02 2017 Fedora Release Engineering - 2.7.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.7.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 21 2016 Igor Gnatenko - 2.7.1-4 +- Use CMake buildsystem + +* Tue Oct 25 2016 Nathaniel McCallum - 2.7.1-3 +- Add (upstreamed) status code patch + +* Tue Aug 16 2016 Stephen Gallagher - 2.7.1-2 +- Upgrade to version 2.7.1 + +* Wed Feb 03 2016 Fedora Release Engineering - 2.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Dec 01 2015 Stephen Gallagher 2.6.0-1 +- Upgrade to version 2.6.0 +- Change to new upstream at https://github.com/nodejs/http-parser/ + +* Wed Jun 17 2015 Fedora Release Engineering - 2.0-9.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 2.0-8.20121128gitcd01361 +- Rebuilt for GCC 5 C++11 ABI change + +* Sat Aug 16 2014 Fedora Release Engineering - 2.0-7.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 2.0-6.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 2.0-5.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 2.0-4.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Dec 02 2012 T.C. Hollingsworth - 2.0-3.20121128gitcd01361 +- latest git snapshot +- fixes buffer overflow in tests + +* Tue Nov 27 2012 T.C. Hollingsworth - 2.0-2.20121110git245f6f0 +- latest git snapshot +- fixes tests +- use SMP make flags +- build as Release instead of Debug +- ship new strict variant + +* Sat Oct 13 2012 T.C. Hollingsworth - 2.0-1 +- new upstream release 2.0 +- migrate to GYP buildsystem + +* Thu Jul 19 2012 Fedora Release Engineering - 1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Aug 22 2011 T.C. Hollingsworth - 1.0-1 +- New upstream release 1.0 +- Remove patches, no longer needed for nodejs +- Fix typo in -devel description +- use github tarball instead of checkout + +* Wed Feb 09 2011 Fedora Release Engineering - 0.3-6.20100911git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 Lubomir Rintel - 0.3-5.20100911git +- Add support for methods used by node.js + +* Thu Nov 4 2010 Dan Horák - 0.3-4.20100911git +- build with -fsigned-char + +* Wed Sep 29 2010 jkeating - 0.3-3.20100911git +- Rebuilt for gcc bug 634757 + +* Mon Sep 20 2010 Lubomir Rintel - 0.3-2.20100911git +- Call ldconfig (Peter Lemenkov) + +* Fri Sep 17 2010 Lubomir Rintel - 0.3-1.20100911git +- Initial packaging +