[Bro-Dev] [JIRA] (BIT-1235) HTTP multipart POST request alters file contents

Mon, 13 Oct 2014 11:27:29 -0700 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18305#comment-18305
 ] 

Brian O'Berry edited comment on BIT-1235 at 10/13/14 1:19 PM:
--------------------------------------------------------------

We've run this through our QA process and we've been running it for almost a 
week without issue.  From our standpoint, it's ready for merge.  Can we help 
with anything else?

Thank you!


was (Author: boberry):
We've run this through our QA process and it's been running on our network for 
almost a week without issue.  From our standpoint, it's ready for merge.  Can 
we help with anything else?

Thank you!

> HTTP multipart POST request alters file contents
> ------------------------------------------------
>
>                 Key: BIT-1235
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1235
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>         Environment: CentOS 6.5, file extract analyzer
>            Reporter: Brian O'Berry
>            Assignee: Jon Siwek
>             Fix For: 2.4
>
>         Attachments: bro-2.3-HTTP.patch, gdb.log, upload-api-http.pcap
>
>
> HTTP POST multipart processing converts bare CR or LF chars to CRLF pairs, 
> corrupting most files when extracted with Files::ANALYZER_EXTRACT.  This is 
> clear in the attached gdb.log, which has a backtrace that shows a buffer with 
> the start of a PDF file entering MIME/HTTP entity processing at frame 25, and 
> emerging with LF chars converted to CRLF at frame 6.
> Also attached are the pcap file associated with the backtrace, and an initial 
> patch that we've barely begun to test.  A point of concern with the patch is 
> that it changes a weird.log entry from "line_terminated_with_single_CR" to 
> "http_no_crlf_in_header_list".  It does enable Files::ANALYZER_EXTRACT to 
> correctly extract the PDF file from the attached pcap.
> Please let me know if we can provide anything else to help with this.



--
This message was sent by Atlassian JIRA
(v6.4-OD-07-004#64005)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to