Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2024-11-08 11:59:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.2017 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libhtp"
Fri Nov 8 11:59:43 2024 rev:20 rq:1222512 version:0.5.49
Changes:
--------
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes 2024-06-03
17:46:07.096855782 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.2017/libhtp.changes 2024-11-08
12:04:06.005276508 +0100
@@ -1,0 +2,11 @@
+Thu Oct 3 12:37:06 UTC 2024 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 0.5.49
+ * headers: put a configurable limit on their numbers.
+ * htp/table: only fetch element when needed.
+ * fuzz: limits the number of transactions.
+ * fuzz: improve debug output.
+ * fuzz: flush to get full assertion text.
+ * request: trim headers values also when there is no name.
+
+-------------------------------------------------------------------
Old:
----
libhtp-0.5.48.tar.gz
New:
----
libhtp-0.5.49.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libhtp.spec ++++++
--- /var/tmp/diff_new_pack.dio3z6/_old 2024-11-08 12:04:07.401334770 +0100
+++ /var/tmp/diff_new_pack.dio3z6/_new 2024-11-08 12:04:07.413335271 +0100
@@ -21,7 +21,7 @@
%define lname %{name}%{sover}
%bcond_without tests
Name: libhtp
-Version: 0.5.48
+Version: 0.5.49
Release: 0
Summary: HTTP normalizer and parser
License: BSD-3-Clause
++++++ libhtp-0.5.48.tar.gz -> libhtp-0.5.49.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/.github/workflows/builds.yml
new/libhtp-0.5.49/.github/workflows/builds.yml
--- old/libhtp-0.5.48/.github/workflows/builds.yml 2024-04-22
16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/.github/workflows/builds.yml 2024-09-30
14:38:27.000000000 +0200
@@ -13,37 +13,56 @@
DEBIAN_FRONTEND: "noninteractive"
jobs:
- ubuntu-2004:
- name: Ubuntu 20.04
+ almalinux-9:
+ name: AlmaLinux 9
runs-on: ubuntu-latest
- container: ubuntu:20.04
+ container: almalinux:9
steps:
- uses: actions/checkout@v3.1.0
- name: Install system dependencies
run: |
- apt update
- apt-get upgrade -y
- apt-get -y install make \
+ dnf -y install make \
autoconf \
- build-essential \
+ automake \
+ libtool \
+ gcc \
+ gcc-c++ \
+ make \
+ pkgconfig \
+ zlib-devel
+ - run: ./autogen.sh
+ - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
+ - run: make -j2
+ - run: make install
+ - run: make distcheck
+
+ almalinux-8:
+ name: AlmaLinux 8
+ runs-on: ubuntu-latest
+ container: almalinux:8
+ steps:
+ - uses: actions/checkout@v3.1.0
+ - name: Install system dependencies
+ run: |
+ dnf -y install make \
autoconf \
automake \
- dpkg-dev \
- debhelper \
libtool \
+ gcc \
+ gcc-c++ \
make \
- pkg-config \
- zlib1g-dev
+ pkgconfig \
+ zlib-devel
- run: ./autogen.sh
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
- run: make -j2
- run: make install
- run: make distcheck
- ubuntu-2204:
- name: Ubuntu 22.04
+ ubuntu-2004:
+ name: Ubuntu 20.04
runs-on: ubuntu-latest
- container: ubuntu:22.04
+ container: ubuntu:20.04
steps:
- uses: actions/checkout@v3.1.0
- name: Install system dependencies
@@ -53,8 +72,9 @@
apt-get -y install make \
autoconf \
build-essential \
- autoconf \
automake \
+ dpkg-dev \
+ debhelper \
libtool \
make \
pkg-config \
@@ -65,24 +85,24 @@
- run: make install
- run: make distcheck
- centos-7:
- name: CentOS 7
+ ubuntu-2204:
+ name: Ubuntu 22.04
runs-on: ubuntu-latest
- container: centos:7
+ container: ubuntu:22.04
steps:
- uses: actions/checkout@v3.1.0
- name: Install system dependencies
run: |
- yum -y install \
+ apt update
+ apt-get upgrade -y
+ apt-get -y install make \
autoconf \
+ build-essential \
automake \
- gcc \
- gcc-c++ \
libtool \
make \
- pkgconfig \
- which \
- zlib-devel
+ pkg-config \
+ zlib1g-dev
- run: ./autogen.sh
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
- run: make -j2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/ChangeLog new/libhtp-0.5.49/ChangeLog
--- old/libhtp-0.5.48/ChangeLog 2024-04-22 16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/ChangeLog 2024-09-30 14:38:27.000000000 +0200
@@ -1,3 +1,22 @@
+0.5.49 (30 September 2024)
+--------------------------
+
+- headers: put a configurable limit on their numbers
+
+- htp/table: only fetch element when needed
+
+- workflows: add almalinux 8 and 9 jobs
+
+- workflows: remove centos 7 as it is EOL
+
+- fuzz: limits the number of transactions
+
+- fuzz: improve debug output
+
+- fuzz: flush to get full assertion text
+
+- request: trim headers values also when there is no name
+
0.5.48 (22 April 2024)
----------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/VERSION new/libhtp-0.5.49/VERSION
--- old/libhtp-0.5.48/VERSION 2024-04-22 16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/VERSION 2024-09-30 14:38:27.000000000 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.48
+PKG_VERSION=0.5.49
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_config.c
new/libhtp-0.5.49/htp/htp_config.c
--- old/libhtp-0.5.48/htp/htp_config.c 2024-04-22 16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/htp/htp_config.c 2024-09-30 14:38:27.000000000 +0200
@@ -145,6 +145,8 @@
0xff, 0x5d, 0x7d, 0xff, 0x5e, 0x7e, 0x00, 0x00, 0x00
};
+#define HTP_HEADERS_LIMIT 1024
+
htp_cfg_t *htp_config_create(void) {
htp_cfg_t *cfg = calloc(1, sizeof (htp_cfg_t));
if (cfg == NULL) return NULL;
@@ -163,6 +165,7 @@
cfg->response_lzma_layer_limit = 1; // default is only one layer
cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT;
cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC;
+ cfg->number_headers_limit = HTP_HEADERS_LIMIT;
cfg->allow_space_uri = 0;
// Default settings for URL-encoded data.
@@ -547,6 +550,11 @@
}
}
+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit) {
+ if (cfg == NULL) return;
+ cfg->number_headers_limit = limit;
+}
+
void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level) {
if (cfg == NULL) return;
cfg->log_level = log_level;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_config.h
new/libhtp-0.5.49/htp/htp_config.h
--- old/libhtp-0.5.48/htp/htp_config.h 2024-04-22 16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/htp/htp_config.h 2024-09-30 14:38:27.000000000 +0200
@@ -467,6 +467,14 @@
void htp_config_set_max_tx(htp_cfg_t *cfg, uint32_t limit);
/**
+ * Configures the maximum number of headers LibHTP will accept per request or
response.
+ *
+ * @param[in] cfg
+ * @param[in] limit
+ */
+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit);
+
+/**
* Configures the desired log level.
*
* @param[in] cfg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_config_private.h
new/libhtp-0.5.49/htp/htp_config_private.h
--- old/libhtp-0.5.48/htp/htp_config_private.h 2024-04-22 16:41:50.000000000
+0200
+++ new/libhtp-0.5.49/htp/htp_config_private.h 2024-09-30 14:38:27.000000000
+0200
@@ -363,6 +363,9 @@
/** Maximum number of transactions. */
uint32_t max_tx;
+
+ /** Maximum number of headers. */
+ uint32_t number_headers_limit;
};
#ifdef __cplusplus
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_core.h
new/libhtp-0.5.49/htp/htp_core.h
--- old/libhtp-0.5.48/htp/htp_core.h 2024-04-22 16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/htp/htp_core.h 2024-09-30 14:38:27.000000000 +0200
@@ -235,6 +235,7 @@
#define HTP_REQUEST_INVALID 0x100000000ULL
#define HTP_REQUEST_INVALID_C_L 0x200000000ULL
#define HTP_AUTH_INVALID 0x400000000ULL
+#define HTP_HEADERS_TOO_MANY 0x800000000ULL
#define HTP_MAX_HEADERS_REPETITIONS 64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_request_generic.c
new/libhtp-0.5.49/htp/htp_request_generic.c
--- old/libhtp-0.5.48/htp/htp_request_generic.c 2024-04-22 16:41:50.000000000
+0200
+++ new/libhtp-0.5.49/htp/htp_request_generic.c 2024-09-30 14:38:27.000000000
+0200
@@ -120,6 +120,17 @@
bstr_free(h->value);
free(h);
} else {
+ if (htp_table_size(connp->in_tx->request_headers) >
connp->cfg->number_headers_limit) {
+ if (!(connp->in_tx->flags & HTP_HEADERS_TOO_MANY)) {
+ connp->in_tx->flags |= HTP_HEADERS_TOO_MANY;
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many
request headers");
+ }
+ bstr_free(h->name);
+ bstr_free(h->value);
+ free(h);
+ // give up on what comes next
+ return HTP_ERROR;
+ }
// Add as a new header.
if (htp_table_add(connp->in_tx->request_headers, h->name, h) !=
HTP_OK) {
bstr_free(h->name);
@@ -172,7 +183,12 @@
h->name = bstr_dup_c("");
if (h->name == NULL) return HTP_ERROR;
- h->value = bstr_dup_mem(data, len);
+ // Ignore LWS after field-content.
+ value_end = len - 1;
+ while ((value_end > 0) && (htp_is_lws(data[value_end]))) {
+ value_end--;
+ }
+ h->value = bstr_dup_mem(data, value_end + 1);
if (h->value == NULL) {
bstr_free(h->name);
return HTP_ERROR;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_response_generic.c
new/libhtp-0.5.49/htp/htp_response_generic.c
--- old/libhtp-0.5.48/htp/htp_response_generic.c 2024-04-22
16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/htp/htp_response_generic.c 2024-09-30
14:38:27.000000000 +0200
@@ -321,6 +321,16 @@
bstr_free(h->value);
free(h);
} else {
+ if (htp_table_size(connp->out_tx->response_headers) >
connp->cfg->number_headers_limit) {
+ if (!(connp->out_tx->flags & HTP_HEADERS_TOO_MANY)) {
+ connp->out_tx->flags |= HTP_HEADERS_TOO_MANY;
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many
response headers");
+ }
+ bstr_free(h->name);
+ bstr_free(h->value);
+ free(h);
+ return HTP_ERROR;
+ }
// Add as a new header.
if (htp_table_add(connp->out_tx->response_headers, h->name, h) !=
HTP_OK) {
bstr_free(h->name);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/htp/htp_table.c
new/libhtp-0.5.49/htp/htp_table.c
--- old/libhtp-0.5.48/htp/htp_table.c 2024-04-22 16:41:50.000000000 +0200
+++ new/libhtp-0.5.49/htp/htp_table.c 2024-09-30 14:38:27.000000000 +0200
@@ -191,8 +191,8 @@
// keys with the parameter, return data if found.
for (size_t i = 0, n = htp_list_size(&table->list); i < n; i += 2) {
bstr *key_candidate = htp_list_get(&table->list, i);
- void *element = htp_list_get(&table->list, i + 1);
if (bstr_cmp_nocase(key_candidate, key) == 0) {
+ void *element = htp_list_get(&table->list, i + 1);
return element;
}
}
@@ -207,8 +207,8 @@
// keys with the parameter, return data if found.
for (size_t i = 0, n = htp_list_size(&table->list); i < n; i += 2) {
bstr *key_candidate = htp_list_get(&table->list, i);
- void *element = htp_list_get(&table->list, i + 1);
if (bstr_cmp_c_nocasenorzero(key_candidate, ckey) == 0) {
+ void *element = htp_list_get(&table->list, i + 1);
return element;
}
}
@@ -235,8 +235,8 @@
// keys with the parameter, return data if found.
for (size_t i = 0, n = htp_list_size(&table->list); i < n; i += 2) {
bstr *key_candidate = htp_list_get(&table->list, i);
- void *element = htp_list_get(&table->list, i + 1);
if (bstr_cmp_mem_nocase(key_candidate, key, key_len) == 0) {
+ void *element = htp_list_get(&table->list, i + 1);
return element;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/test/fuzz/fuzz_diff.c
new/libhtp-0.5.49/test/fuzz/fuzz_diff.c
--- old/libhtp-0.5.48/test/fuzz/fuzz_diff.c 2024-04-22 16:41:50.000000000
+0200
+++ new/libhtp-0.5.49/test/fuzz/fuzz_diff.c 2024-09-30 14:38:27.000000000
+0200
@@ -339,6 +339,7 @@
uint32_t rsnbh = htp_tx_request_headers_size(rstx);
if (rsnbh != nbhc) {
printf("Assertion failure: got nbheaders c=%d versus rust=%d\n", nbhc,
rsnbh);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
@@ -349,14 +350,16 @@
htp_header_t *h = (htp_header_t *)
htp_table_get_index(ctx->request_headers, i, NULL);
void *rsh = htp_tx_request_header_index(rstx, (size_t) i);
if (bstrDiff(htp_header_name(rsh), h->name, "header-name")) {
- printf("request header %d is different\n", i);
+ printf("request header name %d is different\n", i);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
return 1;
}
if (bstrDiff(htp_header_value(rsh), h->value, "header-value")) {
- printf("request header %d is different\n", i);
+ printf("request header value %d is different\n", i);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
@@ -368,6 +371,7 @@
rsnbh = htp_tx_response_headers_size(rstx);
if (rsnbh != nbhc) {
printf("Assertion failure: got nbheaders c=%d versus rust=%d\n", nbhc,
rsnbh);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
@@ -378,14 +382,16 @@
htp_header_t *h = (htp_header_t *)
htp_table_get_index(ctx->response_headers, i, NULL);
void *rsh = htp_tx_response_header_index(rstx, (size_t) i);
if (bstrDiff(htp_header_name(rsh), h->name, "header-name")) {
- printf("response header %d is different\n", i);
+ printf("response header name %d is different\n", i);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
return 1;
}
if (bstrDiff(htp_header_value(rsh), h->value, "header-value")) {
- printf("response header %d is different\n", i);
+ printf("response header value %d is different\n", i);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
@@ -401,6 +407,7 @@
uint32_t c = htp_list_size(conn->transactions);
if (rs != c) {
printf("Assertion failure: got nbtx c=%d versus rust=%d\n", c, rs);
+ fflush(stdout);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
abort();
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.48/test/fuzz/fuzz_htp.c
new/libhtp-0.5.49/test/fuzz/fuzz_htp.c
--- old/libhtp-0.5.48/test/fuzz/fuzz_htp.c 2024-04-22 16:41:50.000000000
+0200
+++ new/libhtp-0.5.49/test/fuzz/fuzz_htp.c 2024-09-30 14:38:27.000000000
+0200
@@ -159,6 +159,7 @@
htp_config_register_response_start(cfg, HTPCallbackResponseStart);
htp_config_register_response_complete(cfg, HTPCallbackResponse);
htp_config_register_request_line(cfg, HTPCallbackRequestLine);
+ htp_config_set_max_tx(cfg, 512);
connp = htp_connp_create(cfg);
htp_connp_set_user_data(connp, (void *) 0x02);
