rpms
/
http-parser
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:c9
Branches Tags
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
..
compare: rpms:i8c
Branches Tags
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'i8c' have entirely different histories.
c9 ... i8c

8 changed files with 754 additions and 127 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/http-parser-2.9.4.tar.gz
SOURCES/http-parser-2.8.0.tar.gz

2
.http-parser.metadata
Unescape View File

@ -1 +1 @@
8df5277feefe79f3d4472b8f2c5ca9224b2221dd SOURCES/http-parser-2.9.4.tar.gz
deb0ce507a267a592e0f70dee45c62ce53b6a1a6 SOURCES/http-parser-2.8.0.tar.gz

79
SOURCES/0001-url-treat-empty-port-as-default.patch
Unescape View File

@ -1,79 +0,0 @@
From d1bb7a564e0f92ef2081d3af8b4b7f85a307c38f Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Fri, 14 Jun 2019 17:37:22 +0100
Subject: [PATCH] url: treat empty port as default
When parsing URLs, treat an empty port (eg `http://hostname:/`) as if it
were unspecified. RFC 3986 says:
> URI producers and normalizers SHOULD omit the port component and its
> ":" delimiter if port is empty or if its value would be the same as
> that of the scheme's default.
(Emphasis on the "SHOULD" is mine.) This indicates that URIs MAY be
produced with an empty port and the `:` delimiter.
Thus, we stop failing if we end host parsing at the port delimiter.
---
http_parser.c | 1 -
test.c | 25 +++++++++++++++++++------
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/http_parser.c b/http_parser.c
index 4896385..7e268d8 100644
--- a/http_parser.c
+++ b/http_parser.c
@@ -2326,7 +2326,6 @@ http_parse_host(const char * buf, struct http_parser_url *u, int found_at) {
case s_http_host_v6:
case s_http_host_v6_zone_start:
case s_http_host_v6_zone:
- case s_http_host_port_start:
case s_http_userinfo:
case s_http_userinfo_start:
return 1;
diff --git a/test.c b/test.c
index 0140a18..54eca61 100644
--- a/test.c
+++ b/test.c
@@ -2825,6 +2825,25 @@ const struct url_test url_tests[] =
,.rv=0
}
+, {.name="proxy empty port"
+ ,.url="http://hostname:/"
+ ,.is_connect=0
+ ,.u=
+ {.field_set=(1 << UF_SCHEMA) | (1 << UF_HOST) | (1 << UF_PATH)
+ ,.port=0
+ ,.field_data=
+ {{ 0, 4 } /* UF_SCHEMA */
+ ,{ 7, 8 } /* UF_HOST */
+ ,{ 0, 0 } /* UF_PORT */
+ ,{ 16, 1 } /* UF_PATH */
+ ,{ 0, 0 } /* UF_QUERY */
+ ,{ 0, 0 } /* UF_FRAGMENT */
+ ,{ 0, 0 } /* UF_USERINFO */
+ }
+ }
+ ,.rv=0
+ }
+
, {.name="CONNECT request"
,.url="hostname:443"
,.is_connect=1
@@ -3059,12 +3078,6 @@ const struct url_test url_tests[] =
,.rv=1
}
-, {.name="proxy empty port"
- ,.url="http://hostname:/"
- ,.is_connect=0
- ,.rv=1
- }
-
, {.name="CONNECT with basic auth"
,.url="a:b@hostname:443"
,.is_connect=1
--
2.25.1

82
SOURCES/CVE-2018-12121.patch
Unescape View File

@ -0,0 +1,82 @@
From 05da7fb51cda374ae351829f67018924f931f18b Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Tue, 18 Feb 2020 09:10:18 -0300
Subject: [PATCH] CVE-2018-12121
---
http_parser.c | 15 +++++++++++----
http_parser.h | 3 +++
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/http_parser.c b/http_parser.c
index f9991c3..aef4437 100644
--- a/http_parser.c
+++ b/http_parser.c
@@ -25,6 +25,8 @@
#include <string.h>
#include <limits.h>
+static uint32_t max_header_size = HTTP_MAX_HEADER_SIZE;
+
#ifndef ULLONG_MAX
# define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */
#endif
@@ -137,20 +139,20 @@ do { \
} while (0)
/* Don't allow the total size of the HTTP headers (including the status
- * line) to exceed HTTP_MAX_HEADER_SIZE. This check is here to protect
+ * line) to exceed max_header_size. This check is here to protect
* embedders against denial-of-service attacks where the attacker feeds
* us a never-ending header that the embedder keeps buffering.
*
* This check is arguably the responsibility of embedders but we're doing
* it on the embedder's behalf because most won't bother and this way we
- * make the web a little safer. HTTP_MAX_HEADER_SIZE is still far bigger
+ * make the web a little safer. max_header_size is still far bigger
* than any reasonable request or response so this should never affect
* day-to-day operation.
*/
#define COUNT_HEADER_SIZE(V) \
do { \
parser->nread += (V); \
- if (UNLIKELY(parser->nread > (HTTP_MAX_HEADER_SIZE))) { \
+ if (UNLIKELY(parser->nread > (max_header_size))) { \
SET_ERRNO(HPE_HEADER_OVERFLOW); \
goto error; \
} \
@@ -1471,7 +1473,7 @@ reexecute:
const char* p_lf;
size_t limit = data + len - p;
- limit = MIN(limit, HTTP_MAX_HEADER_SIZE);
+ limit = MIN(limit, max_header_size);
p_cr = (const char*) memchr(p, CR, limit);
p_lf = (const char*) memchr(p, LF, limit);
@@ -2438,3 +2440,8 @@ http_parser_version(void) {
HTTP_PARSER_VERSION_MINOR * 0x00100 |
HTTP_PARSER_VERSION_PATCH * 0x00001;
}
+
+void
+http_parser_set_max_header_size(uint32_t size) {
+ max_header_size = size;
+}
diff --git a/http_parser.h b/http_parser.h
index 1fbf30e..ea7bafe 100644
--- a/http_parser.h
+++ b/http_parser.h
@@ -427,6 +427,9 @@ void http_parser_pause(http_parser *parser, int paused);
/* Checks if this is the final chunk of the body. */
int http_body_is_final(const http_parser *parser);
+/* Change the maximum header size provided at compile time. */
+void http_parser_set_max_header_size(uint32_t size);
+
#ifdef __cplusplus
}
#endif
--
2.18.2

121
SOURCES/CVE-2018-7159.patch
Unescape View File

@ -0,0 +1,121 @@
From 5756942f51426a24add619377da15b18ecae91ef Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Tue, 27 Mar 2018 16:45:33 +0200
Subject: [PATCH] deps: reject interior blanks in Content-Length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Original commit message follows:
Before this commit `Content-Length: 4 2` was accepted as a valid
header and recorded as `parser->content_length = 42`. Now it is
a parse error that fails with error `HPE_INVALID_CONTENT_LENGTH`.
Downstream users that inspect `parser->content_length` and naively
parse the string value using `strtoul()` might get confused by the
discrepancy between the two values. Resolve that by simply not
letting it happen.
Fixes: https://github.com/nodejs-private/security/issues/178
PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
---
http_parser.c | 19 ++++++++++++++++++-
test.c | 21 +++++++++++++++++++++
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/http_parser.c b/http_parser.c
index 5b5657b..f9991c3 100644
--- a/http_parser.c
+++ b/http_parser.c
@@ -370,6 +370,8 @@ enum header_states
, h_connection
, h_content_length
+ , h_content_length_num
+ , h_content_length_ws
, h_transfer_encoding
, h_upgrade
@@ -1406,6 +1408,7 @@ reexecute:
parser->flags |= F_CONTENTLENGTH;
parser->content_length = ch - '0';
+ parser->header_state = h_content_length_num;
break;
case h_connection:
@@ -1493,10 +1496,18 @@ reexecute:
break;
case h_content_length:
+ if (ch == ' ') break;
+ h_state = h_content_length_num;
+ /* FALLTHROUGH */
+
+ case h_content_length_num:
{
uint64_t t;
- if (ch == ' ') break;
+ if (ch == ' ') {
+ h_state = h_content_length_ws;
+ break;
+ }
if (UNLIKELY(!IS_NUM(ch))) {
SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
@@ -1519,6 +1530,12 @@ reexecute:
break;
}
+ case h_content_length_ws:
+ if (ch == ' ') break;
+ SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
+ parser->header_state = h_state;
+ goto error;
+
/* Transfer-Encoding: chunked */
case h_matching_transfer_encoding_chunked:
parser->index++;
diff --git a/test.c b/test.c
index bc4e664..cb445ce 100644
--- a/test.c
+++ b/test.c
@@ -4168,6 +4168,27 @@ main (void)
test_invalid_header_field_token_error(HTTP_RESPONSE);
test_invalid_header_field_content_error(HTTP_RESPONSE);
+ test_simple_type(
+ "POST / HTTP/1.1\r\n"
+ "Content-Length: 42 \r\n" // Note the surrounding whitespace.
+ "\r\n",
+ HPE_OK,
+ HTTP_REQUEST);
+
+ test_simple_type(
+ "POST / HTTP/1.1\r\n"
+ "Content-Length: 4 2\r\n"
+ "\r\n",
+ HPE_INVALID_CONTENT_LENGTH,
+ HTTP_REQUEST);
+
+ test_simple_type(
+ "POST / HTTP/1.1\r\n"
+ "Content-Length: 13 37\r\n"
+ "\r\n",
+ HPE_INVALID_CONTENT_LENGTH,
+ HTTP_REQUEST);
+
//// RESPONSES
test_simple_type("HTP/1.1 200 OK\r\n\r\n", HPE_INVALID_VERSION, HTTP_RESPONSE);
--
2.18.2

450
SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch
Unescape View File

@ -0,0 +1,450 @@
From b41d69bedcdbb8fe0cd790d0bcccbb457d6170d3 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 26 Feb 2020 17:03:26 -0300
Subject: [PATCH] CVE-2019-15605 - HTTP request smuggling
Upstream: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
Support multi-coding Transfer-Encoding
`Transfer-Encoding` header might have multiple codings in it. Even
though llhttp cares only about `chunked`, it must check that `chunked`
is the last coding (if present).
ABNF from RFC 7230:
```
Transfer-Encoding = *( "," OWS ) transfer-coding *( OWS "," [ OWS
transfer-coding ] )
transfer-coding = "chunked" / "compress" / "deflate" / "gzip" /
transfer-extension
transfer-extension = token *( OWS ";" OWS transfer-parameter )
transfer-parameter = token BWS "=" BWS ( token / quoted-string )
```
However, if `chunked` is not last - llhttp must assume that the encoding
and size of the body is unknown (according to 3.3.3 of RFC 7230) and
read the response until EOF. For request - the error must be raised for
an unknown `Transfer-Encoding`.
Furthermore, 3.3.3 of RFC 7230 explicitly states that presence of both
`Transfer-Encoding` and `Content-Length` indicates the smuggling attack
and "ought to be handled as an error".
For the lenient mode:
* Unknown `Transfer-Encoding` in requests is not an error and request
body is simply read until EOF (end of connection)
* Only `Transfer-Encoding: chunked` together with `Content-Length` would
result an error (just like before the patch)
PR-URL: nodejs-private/http-parser-private#4
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
http_parser.c | 110 ++++++++++++++++++++++++++++++++++++++++++++------
http_parser.h | 8 ++--
test.c | 90 +++++++++++++++++++++++++++++++++++++++--
3 files changed, 189 insertions(+), 19 deletions(-)
diff --git a/http_parser.c b/http_parser.c
index aef4437..cd120d8 100644
--- a/http_parser.c
+++ b/http_parser.c
@@ -176,6 +176,22 @@ static const char *method_strings[] =
#undef XX
};
+/* Added for handling CVE-2019-15605. */
+static void reset_flags(http_parser* p)
+{
+ p->flags = 0;
+ p->transfer_encoding = 0;
+}
+
+static void set_transfer_encoding(http_parser* p)
+{
+ p->transfer_encoding = 1;
+}
+
+static int is_transfer_encoding(const http_parser* p)
+{
+ return p->transfer_encoding;
+}
/* Tokens as defined by rfc 2616. Also lowercases them.
* token = 1*<any CHAR except CTLs or separators>
@@ -378,6 +394,7 @@ enum header_states
, h_upgrade
, h_matching_transfer_encoding_chunked
+
, h_matching_connection_token_start
, h_matching_connection_keep_alive
, h_matching_connection_close
@@ -388,6 +405,10 @@ enum header_states
, h_connection_keep_alive
, h_connection_close
, h_connection_upgrade
+
+ /* CVE-2019-15605 */
+ , h_matching_transfer_encoding_token_start
+ , h_matching_transfer_encoding_token
};
enum http_host_state
@@ -722,7 +743,7 @@ reexecute:
{
if (ch == CR || ch == LF)
break;
- parser->flags = 0;
+ reset_flags(parser);
parser->content_length = ULLONG_MAX;
if (ch == 'H') {
@@ -757,7 +778,7 @@ reexecute:
case s_start_res:
{
- parser->flags = 0;
+ reset_flags(parser);
parser->content_length = ULLONG_MAX;
switch (ch) {
@@ -921,7 +942,7 @@ reexecute:
{
if (ch == CR || ch == LF)
break;
- parser->flags = 0;
+ reset_flags(parser);
parser->content_length = ULLONG_MAX;
if (UNLIKELY(!IS_ALPHA(ch))) {
@@ -1313,6 +1334,7 @@ reexecute:
parser->header_state = h_general;
} else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
parser->header_state = h_transfer_encoding;
+ set_transfer_encoding(parser);
}
break;
@@ -1393,10 +1415,14 @@ reexecute:
if ('c' == c) {
parser->header_state = h_matching_transfer_encoding_chunked;
} else {
- parser->header_state = h_general;
+ parser->header_state = h_matching_transfer_encoding_token;
}
break;
+ /* Multi-value `Transfer-Encoding` header */
+ case h_matching_transfer_encoding_token_start:
+ break;
+
case h_content_length:
if (UNLIKELY(!IS_NUM(ch))) {
SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
@@ -1539,16 +1565,41 @@ reexecute:
goto error;
/* Transfer-Encoding: chunked */
+ case h_matching_transfer_encoding_token_start:
+ /* looking for 'Transfer-Encoding: chunked' */
+ if ('c' == c) {
+ h_state = h_matching_transfer_encoding_chunked;
+ } else if (STRICT_TOKEN(c)) {
+ /* TODO(indutny): similar code below does this, but why?
+ * At the very least it seems to be inconsistent given that
+ * h_matching_transfer_encoding_token does not check for
+ * `STRICT_TOKEN`
+ */
+ h_state = h_matching_transfer_encoding_token;
+ } else if (c == ' ' || c == '\t') {
+ /* Skip lws */
+ } else {
+ h_state = h_general;
+ }
+ break;
+
case h_matching_transfer_encoding_chunked:
parser->index++;
if (parser->index > sizeof(CHUNKED)-1
|| c != CHUNKED[parser->index]) {
- h_state = h_general;
+ h_state = h_matching_transfer_encoding_token;
} else if (parser->index == sizeof(CHUNKED)-2) {
h_state = h_transfer_encoding_chunked;
}
break;
+ case h_matching_transfer_encoding_token:
+ if (ch == ',') {
+ h_state = h_matching_transfer_encoding_token_start;
+ parser->index = 0;
+ }
+ break;
+
case h_matching_connection_token_start:
/* looking for 'Connection: keep-alive' */
if (c == 'k') {
@@ -1607,7 +1658,7 @@ reexecute:
break;
case h_transfer_encoding_chunked:
- if (ch != ' ') h_state = h_general;
+ if (ch != ' ') h_state = h_matching_transfer_encoding_token;
break;
case h_connection_keep_alive:
@@ -1732,12 +1783,17 @@ reexecute:
REEXECUTE();
}
- /* Cannot use chunked encoding and a content-length header together
- per the HTTP specification. */
- if ((parser->flags & F_CHUNKED) &&
+ /* Cannot use transfer-encoding and a content-length header together
+ per the HTTP specification. (RFC 7230 Section 3.3.3) */
+ if ((is_transfer_encoding(parser)) &&
(parser->flags & F_CONTENTLENGTH)) {
- SET_ERRNO(HPE_UNEXPECTED_CONTENT_LENGTH);
- goto error;
+ /* Allow it for lenient parsing as long as `Transfer-Encoding` is
+ * not `chunked`
+ */
+ if (!lenient || (parser->flags & F_CHUNKED)) {
+ SET_ERRNO(HPE_UNEXPECTED_CONTENT_LENGTH);
+ goto error;
+ }
}
UPDATE_STATE(s_headers_done);
@@ -1811,8 +1867,31 @@ reexecute:
UPDATE_STATE(NEW_MESSAGE());
CALLBACK_NOTIFY(message_complete);
} else if (parser->flags & F_CHUNKED) {
- /* chunked encoding - ignore Content-Length header */
+ /* chunked encoding - ignore Content-Length header,
+ * prepare for a chunk */
UPDATE_STATE(s_chunk_size_start);
+ } else if (is_transfer_encoding(parser)) {
+ if (parser->type == HTTP_REQUEST && !lenient) {
+ /* RFC 7230 3.3.3 */
+
+ /* If a Transfer-Encoding header field
+ * is present in a request and the chunked transfer coding is not
+ * the final encoding, the message body length cannot be determined
+ * reliably; the server MUST respond with the 400 (Bad Request)
+ * status code and then close the connection.
+ */
+ SET_ERRNO(HPE_INVALID_TRANSFER_ENCODING);
+ RETURN(p - data); /* Error */
+ } else {
+ /* RFC 7230 3.3.3 */
+
+ /* If a Transfer-Encoding header field is present in a response and
+ * the chunked transfer coding is not the final encoding, the
+ * message body length is determined by reading the connection until
+ * it is closed by the server.
+ */
+ UPDATE_STATE(s_body_identity_eof);
+ }
} else {
if (parser->content_length == 0) {
/* Content-Length header given but zero: Content-Length: 0\r\n */
@@ -2064,6 +2143,12 @@ http_message_needs_eof (const http_parser *parser)
return 0;
}
+ /* RFC 7230 3.3.3, see `s_headers_almost_done` */
+ if ((is_transfer_encoding(parser)) &&
+ (parser->flags & F_CHUNKED) == 0) {
+ return 1;
+ }
+
if ((parser->flags & F_CHUNKED) || parser->content_length != ULLONG_MAX) {
return 0;
}
@@ -2107,6 +2192,7 @@ http_parser_init (http_parser *parser, enum http_parser_type t)
parser->type = t;
parser->state = (t == HTTP_REQUEST ? s_start_req : (t == HTTP_RESPONSE ? s_start_res : s_start_req_or_res));
parser->http_errno = HPE_OK;
+ reset_flags(parser);
}
void
diff --git a/http_parser.h b/http_parser.h
index ea7bafe..a4841be 100644
--- a/http_parser.h
+++ b/http_parser.h
@@ -275,8 +275,9 @@ enum flags
XX(INVALID_INTERNAL_STATE, "encountered unexpected internal state")\
XX(STRICT, "strict mode assertion failed") \
XX(PAUSED, "parser is paused") \
- XX(UNKNOWN, "an unknown error occurred")
-
+ XX(UNKNOWN, "an unknown error occurred") \
+ XX(INVALID_TRANSFER_ENCODING, \
+ "request has invalid transfer-encoding")
/* Define HPE_* values for each errno value above */
#define HTTP_ERRNO_GEN(n, s) HPE_##n,
@@ -293,7 +294,7 @@ enum http_errno {
struct http_parser {
/** PRIVATE **/
unsigned int type : 2; /* enum http_parser_type */
- unsigned int flags : 8; /* F_* values from 'flags' enum; semi-public */
+ unsigned int flags : 8; /* F_* values from 'flags' enum; semi-public */
unsigned int state : 7; /* enum state from http_parser.c */
unsigned int header_state : 7; /* enum header_state from http_parser.c */
unsigned int index : 7; /* index into current matcher */
@@ -318,6 +319,7 @@ struct http_parser {
/** PUBLIC **/
void *data; /* A pointer to get hook to the "connection" or "socket" object */
+ unsigned int transfer_encoding : 8; /* CVE-2019-15605 */
};
diff --git a/test.c b/test.c
index a1fa0d3..bb83d14 100644
--- a/test.c
+++ b/test.c
@@ -260,7 +260,6 @@ const struct message requests[] =
,.type= HTTP_REQUEST
,.raw= "POST /post_identity_body_world?q=search#hey HTTP/1.1\r\n"
"Accept: */*\r\n"
- "Transfer-Encoding: identity\r\n"
"Content-Length: 5\r\n"
"\r\n"
"World"
@@ -273,10 +272,9 @@ const struct message requests[] =
,.fragment= "hey"
,.request_path= "/post_identity_body_world"
,.request_url= "/post_identity_body_world?q=search#hey"
- ,.num_headers= 3
+ ,.num_headers= 2
,.headers=
{ { "Accept", "*/*" }
- , { "Transfer-Encoding", "identity" }
, { "Content-Length", "5" }
}
,.body= "World"
@@ -1172,6 +1170,61 @@ const struct message requests[] =
,.body= ""
}
+#define POST_MULTI_TE_LAST_CHUNKED 43
+, {.name= "post - multi coding transfer-encoding chunked body"
+ ,.type= HTTP_REQUEST
+ ,.raw= "POST / HTTP/1.1\r\n"
+ "Transfer-Encoding: deflate, chunked\r\n"
+ "\r\n"
+ "1e\r\nall your base are belong to us\r\n"
+ "0\r\n"
+ "\r\n"
+ ,.should_keep_alive= TRUE
+ ,.message_complete_on_eof= FALSE
+ ,.http_major= 1
+ ,.http_minor= 1
+ ,.method= HTTP_POST
+ ,.query_string= ""
+ ,.fragment= ""
+ ,.request_path= "/"
+ ,.request_url= "/"
+ ,.num_headers= 1
+ ,.headers=
+ { { "Transfer-Encoding" , "deflate, chunked" }
+ }
+ ,.body= "all your base are belong to us"
+ ,.num_chunks_complete= 2
+ ,.chunk_lengths= { 0x1e }
+ }
+
+#define POST_MULTI_LINE_TE_LAST_CHUNKED 43
+, {.name= "post - multi coding transfer-encoding chunked body"
+ ,.type= HTTP_REQUEST
+ ,.raw= "POST / HTTP/1.1\r\n"
+ "Transfer-Encoding: deflate,\r\n"
+ " chunked\r\n"
+ "\r\n"
+ "1e\r\nall your base are belong to us\r\n"
+ "0\r\n"
+ "\r\n"
+ ,.should_keep_alive= TRUE
+ ,.message_complete_on_eof= FALSE
+ ,.http_major= 1
+ ,.http_minor= 1
+ ,.method= HTTP_POST
+ ,.query_string= ""
+ ,.fragment= ""
+ ,.request_path= "/"
+ ,.request_url= "/"
+ ,.num_headers= 1
+ ,.headers=
+ { { "Transfer-Encoding" , "deflate, chunked" }
+ }
+ ,.body= "all your base are belong to us"
+ ,.num_chunks_complete= 2
+ ,.chunk_lengths= { 0x1e }
+ }
+
, {.name= NULL } /* sentinel */
};
@@ -1951,6 +2004,29 @@ const struct message responses[] =
,.chunk_lengths= { 2, 2 }
}
+#define HTTP_200_MULTI_TE_NOT_LAST_CHUNKED 28
+, {.name= "HTTP 200 response with `chunked` being *not last* Transfer-Encoding"
+ ,.type= HTTP_RESPONSE
+ ,.raw= "HTTP/1.1 200 OK\r\n"
+ "Transfer-Encoding: chunked, identity\r\n"
+ "\r\n"
+ "2\r\n"
+ "OK\r\n"
+ "0\r\n"
+ "\r\n"
+ ,.should_keep_alive= FALSE
+ ,.message_complete_on_eof= TRUE
+ ,.http_major= 1
+ ,.http_minor= 1
+ ,.status_code= 200
+ ,.response_status= "OK"
+ ,.num_headers= 1
+ ,.headers= { { "Transfer-Encoding", "chunked, identity" }
+ }
+ ,.body= "2\r\nOK\r\n0\r\n\r\n"
+ ,.num_chunks_complete= 0
+ }
+
, {.name= NULL } /* sentinel */
};
@@ -3629,7 +3705,7 @@ test_chunked_content_length_error (int req)
parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
assert(parsed == strlen(buf));
- buf = "Transfer-Encoding: chunked\r\nContent-Length: 1\r\n\r\n";
+ buf = "Transfer-Encoding: anything\r\nContent-Length: 1\r\n\r\n";
size_t buflen = strlen(buf);
parsed = http_parser_execute(&parser, &settings_null, buf, buflen);
@@ -4277,6 +4353,12 @@ main (void)
"fooba",
HPE_OK);
+ // Unknown Transfer-Encoding in request
+ test_simple("GET / HTTP/1.1\r\n"
+ "Transfer-Encoding: unknown\r\n"
+ "\r\n",
+ HPE_INVALID_TRANSFER_ENCODING);
+
static const char *all_methods[] = {
"DELETE",
"GET",
--
2.18.2

64
SOURCES/remove-unused-functions-from-test-runner.patch
Unescape View File

@ -0,0 +1,64 @@
From d22c4c1e3ab9ffe5faaa08bacd993c814ca1c92e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Tue, 18 Feb 2020 09:11:05 -0300
Subject: [PATCH] Remove unused functions from test runner.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Upstream: 705e519bf56e5904c761a411b38a66e84bf7fc2d
PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
---
test.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/test.c b/test.c
index cb445ce..a1fa0d3 100644
--- a/test.c
+++ b/test.c
@@ -27,9 +27,7 @@
#include <stdarg.h>
#if defined(__APPLE__)
-# undef strlcat
# undef strlncpy
-# undef strlcpy
#endif /* defined(__APPLE__) */
#undef TRUE
@@ -1993,12 +1991,6 @@ strlncat(char *dst, size_t len, const char *src, size_t n)
return slen + dlen;
}
-size_t
-strlcat(char *dst, const char *src, size_t len)
-{
- return strlncat(dst, len, src, (size_t) -1);
-}
-
size_t
strlncpy(char *dst, size_t len, const char *src, size_t n)
{
@@ -2017,12 +2009,6 @@ strlncpy(char *dst, size_t len, const char *src, size_t n)
return slen;
}
-size_t
-strlcpy(char *dst, const char *src, size_t len)
-{
- return strlncpy(dst, len, src, (size_t) -1);
-}
-
int
request_url_cb (http_parser *p, const char *buf, size_t len)
{
--
2.18.2

81
SPECS/http-parser.spec
Unescape View File

@ -1,17 +1,22 @@
%bcond_without check
Name: http-parser
Version: 2.9.4
Release: 6%{?dist}
Version: 2.8.0
Release: 9%{?dist}
Summary: HTTP request/response parser for C
License: MIT
URL: https://github.com/nodejs/http-parser
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
# https://github.com/nodejs/http-parser/pull/483
Patch0001: 0001-url-treat-empty-port-as-default.patch
BuildRequires: meson
BuildRequires: gcc
Patch01: CVE-2018-7159.patch
Patch02: CVE-2018-12121.patch
Patch03: remove-unused-functions-from-test-runner.patch
Patch04: CVE-2019-15605-HTTP-request-smuggling.patch
%description
This is a parser for HTTP messages written in C. It parses both requests and
responses. The parser is designed to be used in performance HTTP applications.
@ -29,10 +34,7 @@ Development headers and libraries for http-parser.
%prep
%autosetup -p1
%ifarch %{arm}
# https://github.com/nodejs/http-parser/issues/507
sed -i -e "/sizeof(http_parser)/d" test.c
%endif
# TODO: try to send upstream?
cat > meson.build << EOF
project('%{name}', 'c', version : '%{version}')
@ -58,8 +60,10 @@ EOF
%install
%meson_install
%if %{with check}
%check
%meson_test
%endif
%ldconfig_scriptlets
@ -75,52 +79,37 @@ EOF
%{_libdir}/libhttp_parser_strict.so
%changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.4-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.4-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Apr 15 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 2.9.4-1
- Update to 2.9.4
* Mon Mar 02 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 2.9.3-2
- Include patch to work with colon but no port
* Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.8.0-9
- Rebuilt for MSVSphere 8.8
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Feb 26 2020 Sergio Correia <scorreia@redhat.com> - 2.8.0-9
- Do not break ABI with CVE-2019-15605 fix
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 19 2020 Sergio Correia <scorreia@redhat.com> - 2.8.0-8
- Update gating tests due to CVE-2019-15605
* Mon Apr 22 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.9.2-1
- Update to 2.9.2
* Tue Feb 18 2020 Sergio Corrreia <scorreia@redhat.com> - 2.8.0-7
- Resolves: CVE-2019-15605 http-parser: nodejs: HTTP request
smuggling using malformed Transfer-Encoding header
* Tue Apr 16 2019 Adam Williamson <awilliam@redhat.com> - 2.9.1-2
- Rebuild with Meson fix for #1699099
* Tue Oct 29 2019 Sergio Correia <scorreia@redhat.com> - 2.8.0-6
- Provide -devel package
Resolves: rhbz#1748765: http-parser-devel package not available in CRB
* Thu Apr 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.9.1-1
- Update to 2.9.1
* Mon Aug 12 2019 Sergio Correia <scorreia@redhat.com> - 2.8.0-5
- Resolves: rhbz#1686488: 'make test' fails with stringop-overflow error
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Aug 08 2019 Sergio Correia <scorreia@redhat.com> - 2.8.0-4
- Resolves: rhbz#1666382: CVE-2018-12121 http-parser: nodejs: Denial of
Service with large HTTP headers [rhel-8]
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Apr 11 2019 Daniel Kopecek <dkopecek@redhat.com> - 2.8.0-3
- spec: make the check phase conditional
* Mon Apr 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.8.1-1
- Update to 2.8.1
* Mon Dec 3 2018 Jakub Hrozek <jhrozek@redhat.com> - 2.8.0-2
- Resolves: #rhbz1654223: CVE-2018-7159 http-parser: nodejs: HTTP parser
allowed for spaces inside Content-Length header
values [rhel-8]
* Sat Feb 10 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.8.0-1
- Update to 2.8.0

Write Preview
Loading…
Cancel
Save