Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2023-06-30 19:58:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.13546 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libhtp"
Fri Jun 30 19:58:48 2023 rev:15 rq:1096030 version:0.5.44
Changes:
--------
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes 2023-04-29
17:28:24.606609881 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.13546/libhtp.changes 2023-06-30
19:59:08.413739106 +0200
@@ -1,0 +2,8 @@
+Tue Jun 20 07:19:24 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Update to version 0.5.44
+ * response: only trim spaces at headers names end
+ * response: skips lines before response line
+ * headers: log a warning for chunks extension
+
+-------------------------------------------------------------------
Old:
----
libhtp-0.5.43.tar.gz
New:
----
libhtp-0.5.44.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libhtp.spec ++++++
--- /var/tmp/diff_new_pack.C1LlxR/_old 2023-06-30 19:59:09.597746148 +0200
+++ /var/tmp/diff_new_pack.C1LlxR/_new 2023-06-30 19:59:09.633746362 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version: 0.5.43
+Version: 0.5.44
Release: 0
Summary: HTTP normalizer and parser
License: BSD-3-Clause
++++++ libhtp-0.5.43.tar.gz -> libhtp-0.5.44.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/ChangeLog new/libhtp-0.5.44/ChangeLog
--- old/libhtp-0.5.43/ChangeLog 2023-04-13 10:41:58.000000000 +0200
+++ new/libhtp-0.5.44/ChangeLog 2023-06-13 15:14:36.000000000 +0200
@@ -1,3 +1,12 @@
+0.5.44 (13 June 2023)
+---------------------
+
+- response: only trim spaces at headers names end
+
+- response: skips lines before response line
+
+- headers: log a warning for chunks extension
+
0.5.43 (13 April 2023)
----------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/VERSION new/libhtp-0.5.44/VERSION
--- old/libhtp-0.5.43/VERSION 2023-04-13 10:41:58.000000000 +0200
+++ new/libhtp-0.5.44/VERSION 2023-06-13 15:14:36.000000000 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.43
+PKG_VERSION=0.5.44
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_private.h
new/libhtp-0.5.44/htp/htp_private.h
--- old/libhtp-0.5.43/htp/htp_private.h 2023-04-13 10:41:58.000000000 +0200
+++ new/libhtp-0.5.44/htp/htp_private.h 2023-06-13 15:14:36.000000000 +0200
@@ -181,7 +181,7 @@
void htp_utf8_validate_path(htp_tx_t *tx, bstr *path);
int64_t htp_parse_content_length(bstr *b, htp_connp_t *connp);
-int64_t htp_parse_chunked_length(unsigned char *data, size_t len);
+int64_t htp_parse_chunked_length(unsigned char *data, size_t len, int
*extension);
int64_t htp_parse_positive_integer_whitespace(unsigned char *data, size_t len,
int base);
int htp_parse_status(bstr *status);
int htp_parse_authorization_digest(htp_connp_t *connp, htp_header_t
*auth_header);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_request.c
new/libhtp-0.5.44/htp/htp_request.c
--- old/libhtp-0.5.43/htp/htp_request.c 2023-04-13 10:41:58.000000000 +0200
+++ new/libhtp-0.5.44/htp/htp_request.c 2023-06-13 15:14:36.000000000 +0200
@@ -499,7 +499,11 @@
htp_chomp(data, &len);
- connp->in_chunked_length = htp_parse_chunked_length(data, len);
+ int chunk_ext = 0;
+ connp->in_chunked_length = htp_parse_chunked_length(data, len,
&chunk_ext);
+ if (chunk_ext == 1) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request
chunk extension");
+ }
htp_connp_req_clear_buffer(connp);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_response.c
new/libhtp-0.5.44/htp/htp_response.c
--- old/libhtp-0.5.43/htp/htp_response.c 2023-04-13 10:41:58.000000000
+0200
+++ new/libhtp-0.5.44/htp/htp_response.c 2023-06-13 15:14:36.000000000
+0200
@@ -415,8 +415,11 @@
fprint_raw_data(stderr, "Chunk length line", data, len);
#endif
- connp->out_chunked_length = htp_parse_chunked_length(data, len);
-
+ int chunk_ext = 0;
+ connp->out_chunked_length = htp_parse_chunked_length(data, len,
&chunk_ext);
+ if (chunk_ext == 1) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request
chunk extension");
+ }
// empty chunk length line, lets try to continue
if (connp->out_chunked_length == -1004) {
connp->out_current_consume_offset =
connp->out_current_read_offset;
@@ -1075,6 +1078,12 @@
// data as a response body because that is what browsers do.
if (htp_treat_response_line_as_body(data, len)) {
+ // if we have a next line beginning with H, skip this one
+ if (connp->out_current_read_offset+1 < connp->out_current_len
&& (connp->out_current_data[connp->out_current_read_offset] == 'H' || len <=
2)) {
+ connp->out_tx->response_ignored_lines++;
+ htp_connp_res_clear_buffer(connp);
+ return HTP_OK;
+ }
connp->out_tx->response_content_encoding_processing =
HTP_COMPRESSION_NONE;
connp->out_current_consume_offset =
connp->out_current_read_offset;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_response_generic.c
new/libhtp-0.5.44/htp/htp_response_generic.c
--- old/libhtp-0.5.43/htp/htp_response_generic.c 2023-04-13
10:41:58.000000000 +0200
+++ new/libhtp-0.5.44/htp/htp_response_generic.c 2023-06-13
15:14:36.000000000 +0200
@@ -173,7 +173,7 @@
// Ignore unprintable after field-name.
prev = name_end;
- while ((prev > name_start) && (data[prev - 1] <= 0x20)) {
+ while ((prev > name_start) && htp_is_space(data[prev - 1])) {
prev--;
name_end--;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_util.c
new/libhtp-0.5.44/htp/htp_util.c
--- old/libhtp-0.5.43/htp/htp_util.c 2023-04-13 10:41:58.000000000 +0200
+++ new/libhtp-0.5.44/htp/htp_util.c 2023-06-13 15:14:36.000000000 +0200
@@ -300,7 +300,7 @@
* @param[in] len
* @return Chunk length, or a negative number on error.
*/
-int64_t htp_parse_chunked_length(unsigned char *data, size_t len) {
+int64_t htp_parse_chunked_length(unsigned char *data, size_t len, int
*extension) {
// skip leading line feeds and other control chars
while (len) {
unsigned char c = *data;
@@ -323,6 +323,16 @@
}
// cut off trailing junk
if (i != len) {
+ if (extension) {
+ size_t j = i;
+ while (j < len) {
+ if (data[j] == ';') {
+ *extension = 1;
+ break;
+ }
+ j++;
+ }
+ }
len = i;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/test/test_utils.cpp
new/libhtp-0.5.44/test/test_utils.cpp
--- old/libhtp-0.5.43/test/test_utils.cpp 2023-04-13 10:41:58.000000000
+0200
+++ new/libhtp-0.5.44/test/test_utils.cpp 2023-06-13 15:14:36.000000000
+0200
@@ -215,7 +215,7 @@
}
TEST(UtilTest, ParseChunkedLength) {
- EXPECT_EQ(0x12a5, htp_parse_chunked_length((unsigned char*) "12a5", 4));
+ EXPECT_EQ(0x12a5, htp_parse_chunked_length((unsigned char*) "12a5", 4,
NULL));
}
TEST(UtilTest, IsLineFolded) {
