commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2024-06-03 17:45:33
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.24587 (New)
Package is "libhtp"
Mon Jun 3 17:45:33 2024 rev:19 rq:1178333 version:0.5.48
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2024-04-30
17:29:52.215648591 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.24587/libhtp.changes 2024-06-03
17:46:07.096855782 +0200
@@ -1,0 +2,5 @@
+Sat Jun 1 20:30:02 UTC 2024 - Andreas Stieger
+
+- run tests, spec file tweaks
+
+---
@@ -8 +13,2 @@
- * request: limit probing after missing protocol
+ * CVE-2024-28871 request: limit probing after missing protocol
+(boo#1222512)
@@ -23 +29,2 @@
- * CVE-2024-23837 - Critical severity
+ * CVE-2024-23837: excessive processing time of HTTP headers can
+lead to a denial of service (boo#1220403)
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.ib8aMe/_old 2024-06-03 17:46:07.532871365 +0200
+++ /var/tmp/diff_new_pack.ib8aMe/_new 2024-06-03 17:46:07.536871508 +0200
@@ -2,6 +2,7 @@
# spec file for package libhtp
#
# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2024 Andreas Stieger
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,19 +19,23 @@
%define sover 2
%define lname %{name}%{sover}
+%bcond_without tests
Name: libhtp
Version:0.5.48
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
Group: Development/Libraries/C and C++
-URL:http://www.openinfosecfoundation.org/
+URL:https://www.openinfosecfoundation.org/
Source:
https://github.com/OISF/libhtp/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
+%if %{with tests}
+BuildRequires: c++_compiler
+%endif
%description
The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod
Security fame for the OISF. This integrates and provides very advanced
processing of HTTP streams for Suricata. The HTP library is required by the
engine, but may also be used independently in a range of applications and tools.
@@ -52,27 +57,34 @@
developing applications that use %{name}.
%prep
-%setup -q
+%autosetup -p1
sed -i 's/\r$//' ChangeLog
%build
-autoreconf -fi
-%configure --disable-static
-make %{?_smp_mflags}
+autoreconf -fiv
+%configure \
+ --disable-static
+%make_build
%install
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
-%post -n %{lname} -p /sbin/ldconfig
-%postun -n %{lname} -p /sbin/ldconfig
+%check
+%if %{with tests}
+%make_build test
+%endif
+
+%ldconfig_scriptlets -n %{lname}
%files -n %{lname}
%license COPYING LICENSE
%doc AUTHORS ChangeLog README
-%{_libdir}/libhtp.so.%{sover}*
+%{_libdir}/libhtp.so.%{sover}
+%{_libdir}/libhtp.so.%{sover}.*
%files devel
+%license COPYING LICENSE
%{_includedir}/htp
%{_libdir}/libhtp.so
%{_libdir}/pkgconfig/htp.pc
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2024-04-30 17:28:13
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.1880 (New)
Package is "libhtp"
Tue Apr 30 17:28:13 2024 rev:18 rq:1170919 version:0.5.48
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2024-02-22
21:02:45.988484438 +0100
+++ /work/SRC/openSUSE:Factory/.libhtp.new.1880/libhtp.changes 2024-04-30
17:29:52.215648591 +0200
@@ -1,0 +2,9 @@
+Thu Apr 25 20:11:06 UTC 2024 - Martin Hauke
+
+- Update to version 0.5.48
+ * decompressor: only take erroneous data on first try
+ * autotools: run autoupdate to modernize build system
+- Update to version 0.5.47
+ * request: limit probing after missing protocol
+
+---
Old:
libhtp-0.5.46.tar.gz
New:
libhtp-0.5.48.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.QJ6P31/_old 2024-04-30 17:29:52.635663864 +0200
+++ /var/tmp/diff_new_pack.QJ6P31/_new 2024-04-30 17:29:52.635663864 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.46
+Version:0.5.48
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.46.tar.gz -> libhtp-0.5.48.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/ChangeLog new/libhtp-0.5.48/ChangeLog
--- old/libhtp-0.5.46/ChangeLog 2024-02-08 05:34:38.0 +0100
+++ new/libhtp-0.5.48/ChangeLog 2024-04-22 16:41:50.0 +0200
@@ -1,3 +1,15 @@
+0.5.48 (22 April 2024)
+--
+
+- decompressor: only take erroneous data on first try
+
+- autotools: run autoupdate to modernize build system
+
+0.5.47 (19 March 2024)
+--
+
+- request: limit probing after missing protocol
+
0.5.46 (08 February 2024)
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/VERSION new/libhtp-0.5.48/VERSION
--- old/libhtp-0.5.46/VERSION 2024-02-08 05:34:38.0 +0100
+++ new/libhtp-0.5.48/VERSION 2024-04-22 16:41:50.0 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.46
+PKG_VERSION=0.5.48
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/configure.ac
new/libhtp-0.5.48/configure.ac
--- old/libhtp-0.5.46/configure.ac 2024-02-08 05:34:38.0 +0100
+++ new/libhtp-0.5.48/configure.ac 2024-04-22 16:41:50.0 +0200
@@ -3,7 +3,7 @@
dnl Initialization macros
dnl --
-AC_INIT([LibHTP], m4_esyscmd([./get-version.sh VERSION]))
+AC_INIT([LibHTP],[m4_esyscmd(./get-version.sh VERSION)])
AM_INIT_AUTOMAKE()
AC_CONFIG_HEADERS([htp_config_auto_gen.h])
@@ -86,7 +86,7 @@
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_CXX
-AM_PROG_LIBTOOL
+LT_INIT
AM_SANITY_CHECK
# Checks for library functions
@@ -99,7 +99,7 @@
dnl ---
dnl Checks for libs.
dnl ---
-AC_CHECK_HEADER(zlib.h,,[AC_ERROR(zlib.h not found ...)])
+AC_CHECK_HEADER(zlib.h,,[AC_MSG_ERROR(zlib.h not found ...)])
ZLIB=""
AC_CHECK_LIB(z, inflate,, ZLIB="no")
if test "$ZLIB" = "no"; then
@@ -161,13 +161,11 @@
TMPLIBS="${LIBS}"
LIBS="${LIBS} ${LIBICONV}"
-AC_TRY_LINK([#include
- #include ],
-[int iconv_param = 0;
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include
+ #include ]], [[int iconv_param = 0;
iconv_t cd = iconv_open("","");
iconvctl(cd, ICONV_SET_DISCARD_ILSEQ, _param);
- iconv_close(cd);],
-[ac_cv_func_iconvctl=yes])
+ iconv_close(cd);]])],[ac_cv_func_iconvctl=yes],[])
AC_MSG_RESULT($ac_cv_func_iconvctl)
if test "$ac_cv_func_iconvctl" == yes; then
AC_DEFINE(HAVE_ICONVCTL,1,"Define to 1 if you have the `iconvctl'
function.")
@@ -185,7 +183,7 @@
AC_MSG_CHECKING(for gcc support of -Wstrict-overflow=1)
TMPCFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -Wstrict-overflow=1"
-AC_TRY_COMPILE(,,[gcc_have_strict_overflow=yes],[gcc_have_strict_overflow=no])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
[[]])],[gcc_have_strict_overflow=yes],[gcc_have_strict_overflow=no])
AC_MSG_RESULT($gcc_have_strict_overflow)
if test "$gcc_have_strict_overflow" != "yes"; then
CFLAGS="${TMPCFLAGS}"
@@ -198,7 +196,7 @@
AC_MSG_CHECKING(for gcc support of stack smashing protection)
TMPCFLAGS="${CFLAGS}"
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2023-07-27 16:53:24
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.32662 (New)
Package is "libhtp"
Thu Jul 27 16:53:24 2023 rev:16 rq:1101052 version:0.5.45
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2023-06-30
19:59:08.413739106 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.32662/libhtp.changes 2023-07-27
16:53:30.194727792 +0200
@@ -1,0 +2,7 @@
+Thu Jul 27 08:56:06 UTC 2023 - Otto Hollmann
+
+- Update to version 0.5.45
+ * log: resist allocation failure
+ * support HTTP Bearer authentication
+
+---
Old:
libhtp-0.5.44.tar.gz
New:
libhtp-0.5.45.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.i6z106/_old 2023-07-27 16:53:30.766731024 +0200
+++ /var/tmp/diff_new_pack.i6z106/_new 2023-07-27 16:53:30.770731046 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.44
+Version:0.5.45
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.44.tar.gz -> libhtp-0.5.45.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.44/ChangeLog new/libhtp-0.5.45/ChangeLog
--- old/libhtp-0.5.44/ChangeLog 2023-06-13 15:14:36.0 +0200
+++ new/libhtp-0.5.45/ChangeLog 2023-07-11 14:35:37.0 +0200
@@ -1,3 +1,10 @@
+0.5.45 (11 July 2023)
+-
+
+- log: resist allocation failure
+
+- support HTTP Bearer authentication
+
0.5.44 (13 June 2023)
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.44/VERSION new/libhtp-0.5.45/VERSION
--- old/libhtp-0.5.44/VERSION 2023-06-13 15:14:36.0 +0200
+++ new/libhtp-0.5.45/VERSION 2023-07-11 14:35:37.0 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.44
+PKG_VERSION=0.5.45
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.44/htp/htp_core.h
new/libhtp-0.5.45/htp/htp_core.h
--- old/libhtp-0.5.44/htp/htp_core.h2023-06-13 15:14:36.0 +0200
+++ new/libhtp-0.5.45/htp/htp_core.h2023-07-11 14:35:37.0 +0200
@@ -136,6 +136,9 @@
/** HTTP Digest authentication used. */
HTP_AUTH_DIGEST = 3,
+/** HTTP Digest authentication used. */
+HTP_AUTH_BEARER = 4,
+
/** Unrecognized authentication method. */
HTP_AUTH_UNRECOGNIZED = 9
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.44/htp/htp_parsers.c
new/libhtp-0.5.45/htp/htp_parsers.c
--- old/libhtp-0.5.44/htp/htp_parsers.c 2023-06-13 15:14:36.0 +0200
+++ new/libhtp-0.5.45/htp/htp_parsers.c 2023-07-11 14:35:37.0 +0200
@@ -162,6 +162,24 @@
}
/**
+ * Parses Bearer Authorization request header.
+ *
+ * @param[in] connp
+ * @param[in] auth_header
+ */
+int htp_parse_authorization_bearer(htp_connp_t *connp, htp_header_t
*auth_header) {
+unsigned char *data = bstr_ptr(auth_header->value);
+size_t len = bstr_len(auth_header->value);
+size_t pos = 6;
+
+// Ignore whitespace
+while ((pos < len) && (isspace((int) data[pos]))) pos++;
+if (pos == len) return HTP_DECLINED;
+
+// There is nothing much else to check with Bearer auth so we just return
+return HTP_OK;
+}
+/**
* Parses Authorization request header.
*
* @param[in] connp
@@ -183,6 +201,10 @@
// Digest authentication
connp->in_tx->request_auth_type = HTP_AUTH_DIGEST;
return htp_parse_authorization_digest(connp, auth_header);
+} else if (bstr_begins_with_c_nocase(auth_header->value, "bearer")) {
+// OAuth Bearer authentication
+connp->in_tx->request_auth_type = HTP_AUTH_BEARER;
+return htp_parse_authorization_bearer(connp, auth_header);
} else {
// Unrecognized authentication method
connp->in_tx->request_auth_type = HTP_AUTH_UNRECOGNIZED;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.44/htp/htp_private.h
new/libhtp-0.5.45/htp/htp_private.h
--- old/libhtp-0.5.44/htp/htp_private.h 2023-06-13 15:14:36.0 +0200
+++ new/libhtp-0.5.45/htp/htp_private.h 2023-07-11 14:35:37.0 +0200
@@ -186,6 +186,7 @@
int htp_parse_status(bstr *status);
int htp_parse_authorization_digest(htp_connp_t *connp, htp_header_t
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2023-06-30 19:58:48
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.13546 (New)
Package is "libhtp"
Fri Jun 30 19:58:48 2023 rev:15 rq:1096030 version:0.5.44
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2023-04-29
17:28:24.606609881 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.13546/libhtp.changes 2023-06-30
19:59:08.413739106 +0200
@@ -1,0 +2,8 @@
+Tue Jun 20 07:19:24 UTC 2023 - Otto Hollmann
+
+- Update to version 0.5.44
+ * response: only trim spaces at headers names end
+ * response: skips lines before response line
+ * headers: log a warning for chunks extension
+
+---
Old:
libhtp-0.5.43.tar.gz
New:
libhtp-0.5.44.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.C1LlxR/_old 2023-06-30 19:59:09.597746148 +0200
+++ /var/tmp/diff_new_pack.C1LlxR/_new 2023-06-30 19:59:09.633746362 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.43
+Version:0.5.44
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.43.tar.gz -> libhtp-0.5.44.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/ChangeLog new/libhtp-0.5.44/ChangeLog
--- old/libhtp-0.5.43/ChangeLog 2023-04-13 10:41:58.0 +0200
+++ new/libhtp-0.5.44/ChangeLog 2023-06-13 15:14:36.0 +0200
@@ -1,3 +1,12 @@
+0.5.44 (13 June 2023)
+-
+
+- response: only trim spaces at headers names end
+
+- response: skips lines before response line
+
+- headers: log a warning for chunks extension
+
0.5.43 (13 April 2023)
--
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/VERSION new/libhtp-0.5.44/VERSION
--- old/libhtp-0.5.43/VERSION 2023-04-13 10:41:58.0 +0200
+++ new/libhtp-0.5.44/VERSION 2023-06-13 15:14:36.0 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.43
+PKG_VERSION=0.5.44
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_private.h
new/libhtp-0.5.44/htp/htp_private.h
--- old/libhtp-0.5.43/htp/htp_private.h 2023-04-13 10:41:58.0 +0200
+++ new/libhtp-0.5.44/htp/htp_private.h 2023-06-13 15:14:36.0 +0200
@@ -181,7 +181,7 @@
void htp_utf8_validate_path(htp_tx_t *tx, bstr *path);
int64_t htp_parse_content_length(bstr *b, htp_connp_t *connp);
-int64_t htp_parse_chunked_length(unsigned char *data, size_t len);
+int64_t htp_parse_chunked_length(unsigned char *data, size_t len, int
*extension);
int64_t htp_parse_positive_integer_whitespace(unsigned char *data, size_t len,
int base);
int htp_parse_status(bstr *status);
int htp_parse_authorization_digest(htp_connp_t *connp, htp_header_t
*auth_header);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_request.c
new/libhtp-0.5.44/htp/htp_request.c
--- old/libhtp-0.5.43/htp/htp_request.c 2023-04-13 10:41:58.0 +0200
+++ new/libhtp-0.5.44/htp/htp_request.c 2023-06-13 15:14:36.0 +0200
@@ -499,7 +499,11 @@
htp_chomp(data, );
-connp->in_chunked_length = htp_parse_chunked_length(data, len);
+int chunk_ext = 0;
+connp->in_chunked_length = htp_parse_chunked_length(data, len,
_ext);
+if (chunk_ext == 1) {
+htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request
chunk extension");
+}
htp_connp_req_clear_buffer(connp);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_response.c
new/libhtp-0.5.44/htp/htp_response.c
--- old/libhtp-0.5.43/htp/htp_response.c2023-04-13 10:41:58.0
+0200
+++ new/libhtp-0.5.44/htp/htp_response.c2023-06-13 15:14:36.0
+0200
@@ -415,8 +415,11 @@
fprint_raw_data(stderr, "Chunk length line", data, len);
#endif
-connp->out_chunked_length = htp_parse_chunked_length(data, len);
-
+int chunk_ext = 0;
+connp->out_chunked_length = htp_parse_chunked_length(data, len,
_ext);
+if (chunk_ext == 1) {
+htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request
chunk extension");
+}
//
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2023-04-29 17:28:13
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.1533 (New)
Package is "libhtp"
Sat Apr 29 17:28:13 2023 rev:14 rq:1083534 version:0.5.43
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2022-12-03
15:04:53.709835928 +0100
+++ /work/SRC/openSUSE:Factory/.libhtp.new.1533/libhtp.changes 2023-04-29
17:28:24.606609881 +0200
@@ -1,0 +2,12 @@
+Fri Apr 21 12:33:55 UTC 2023 - Otto Hollmann
+
+- Update to version 0.5.43
+ * htp: do not log content-encoding: none
+ * htp: do not error on multiple 100 Continue
+ * readme: remove note on libhtp not being stable
+ * uri: fix compile warning strict-prototypes
+ * bstr: fix compile warning strict-prototypes
+ * fuzz_diff: Free the rust test object.
+ * github: add CIFuzz workflow
+
+---
Old:
libhtp-0.5.42.tar.gz
New:
libhtp-0.5.43.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.ic4mAU/_old 2023-04-29 17:28:25.946615492 +0200
+++ /var/tmp/diff_new_pack.ic4mAU/_new 2023-04-29 17:28:25.950615508 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libhtp
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.42
+Version:0.5.43
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.42.tar.gz -> libhtp-0.5.43.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.42/.github/workflows/cifuzz.yml
new/libhtp-0.5.43/.github/workflows/cifuzz.yml
--- old/libhtp-0.5.42/.github/workflows/cifuzz.yml 1970-01-01
01:00:00.0 +0100
+++ new/libhtp-0.5.43/.github/workflows/cifuzz.yml 2023-04-13
10:41:58.0 +0200
@@ -0,0 +1,26 @@
+name: CIFuzz
+on: [pull_request]
+jobs:
+ Fuzzing:
+runs-on: ubuntu-latest
+steps:
+- name: Build Fuzzers
+ id: build
+ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+ with:
+oss-fuzz-project-name: 'libhtp'
+dry-run: false
+language: c++
+- name: Run Fuzzers
+ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+ with:
+oss-fuzz-project-name: 'libhtp'
+fuzz-seconds: 300
+dry-run: false
+language: c++
+- name: Upload Crash
+ uses: actions/upload-artifact@v3
+ if: failure() && steps.build.outcome == 'success'
+ with:
+name: artifacts
+path: ./out/artifacts
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.42/ChangeLog new/libhtp-0.5.43/ChangeLog
--- old/libhtp-0.5.42/ChangeLog 2022-11-28 07:01:47.0 +0100
+++ new/libhtp-0.5.43/ChangeLog 2023-04-13 10:41:58.0 +0200
@@ -1,3 +1,20 @@
+0.5.43 (13 April 2023)
+--
+
+- htp: do not log content-encoding: none
+
+- htp: do not error on multiple 100 Continue
+
+- readme: remove note on libhtp not being stable
+
+- uri: fix compile warning strict-prototypes
+
+- bstr: fix compile warning strict-prototypes
+
+- fuzz_diff: Free the rust test object.
+
+- github: add CIFuzz workflow
+
0.5.42 (27 November 2022)
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.42/README new/libhtp-0.5.43/README
--- old/libhtp-0.5.42/README2022-11-28 07:01:47.0 +0100
+++ new/libhtp-0.5.43/README2023-04-13 10:41:58.0 +0200
@@ -25,10 +25,6 @@
user in control, allowing him to choose the most desired library
characteristic.
- | IMPORTANT LIBHTP IS NOT YET CONSIDERED STABLE. USE AT YOUR OWN RISK. DO
NOT
- | USE IN PRODUCTION. WORK IS CURRENTLY UNDER WAY TO ENSURE THAT
- | LIBHTP IS SECURE AND THAT IT PERFORMS WELL.
-
| STATUS LIBHTP IS VERY YOUNG AT THIS POINT. IT WILL BE SOME TIME BEFORE
| IT CAN BE CONSIDER COMPLETE. AT THE MOMENT, THE FOCUS OF
DEVELOPMENT
| IS ON ACHIEVING THE FIRST TWO GOALS.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.42/VERSION new/libhtp-0.5.43/VERSION
--- old/libhtp-0.5.42/VERSION 2022-11-28 07:01:47.0 +0100
+++
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2022-12-03 15:04:52
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.1835 (New)
Package is "libhtp"
Sat Dec 3 15:04:52 2022 rev:13 rq:1039818 version:0.5.42
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2022-09-29
18:14:00.503331601 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.1835/libhtp.changes 2022-12-03
15:04:53.709835928 +0100
@@ -1,0 +2,9 @@
+Tue Nov 29 18:49:29 UTC 2022 - Michael Ströder
+
+- Update to version 0.5.42
+ * github: add initial workflow
+ * htp: fixes warning about bad delimiter in URI
+ * fuzz: fix a null dereference in a diff report
+ * htp: fixes warning about integer
+
+---
Old:
libhtp-0.5.41.tar.gz
New:
libhtp-0.5.42.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.Tz6fl7/_old 2022-12-03 15:04:54.341839598 +0100
+++ /var/tmp/diff_new_pack.Tz6fl7/_new 2022-12-03 15:04:54.345839621 +0100
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.41
+Version:0.5.42
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.41.tar.gz -> libhtp-0.5.42.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.41/.github/workflows/builds.yml
new/libhtp-0.5.42/.github/workflows/builds.yml
--- old/libhtp-0.5.41/.github/workflows/builds.yml 1970-01-01
01:00:00.0 +0100
+++ new/libhtp-0.5.42/.github/workflows/builds.yml 2022-11-28
07:01:47.0 +0100
@@ -0,0 +1,90 @@
+name: builds
+
+on:
+ - push
+ - pull_request
+
+permissions: read-all
+
+env:
+ DEFAULT_CFLAGS: "-Wall -Wextra -Werror -Wno-unused-parameter
-Wno-unused-function"
+
+ # Apt sometimes likes to ask for user input, this will prevent that.
+ DEBIAN_FRONTEND: "noninteractive"
+
+jobs:
+ ubuntu-2004:
+name: Ubuntu 20.04
+runs-on: ubuntu-latest
+container: ubuntu:20.04
+steps:
+ - uses: actions/checkout@v3.1.0
+ - name: Install system dependencies
+run: |
+apt update
+apt-get upgrade -y
+apt-get -y install make \
+autoconf \
+build-essential \
+autoconf \
+automake \
+dpkg-dev \
+debhelper \
+libtool \
+make \
+pkg-config \
+zlib1g-dev
+ - run: ./autogen.sh
+ - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
+ - run: make -j2
+ - run: make install
+ - run: make distcheck
+
+ ubuntu-2204:
+name: Ubuntu 22.04
+runs-on: ubuntu-latest
+container: ubuntu:22.04
+steps:
+ - uses: actions/checkout@v3.1.0
+ - name: Install system dependencies
+run: |
+apt update
+apt-get upgrade -y
+apt-get -y install make \
+autoconf \
+build-essential \
+autoconf \
+automake \
+libtool \
+make \
+pkg-config \
+zlib1g-dev
+ - run: ./autogen.sh
+ - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
+ - run: make -j2
+ - run: make install
+ - run: make distcheck
+
+ centos-7:
+name: CentOS 7
+runs-on: ubuntu-latest
+container: centos:7
+steps:
+ - uses: actions/checkout@v3.1.0
+ - name: Install system dependencies
+run: |
+ yum -y install \
+autoconf \
+automake \
+gcc \
+gcc-c++ \
+libtool \
+make \
+pkgconfig \
+which \
+zlib-devel
+ - run: ./autogen.sh
+ - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
+ - run: make -j2
+ - run: make install
+ - run: make distcheck
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.41/.travis.yml
new/libhtp-0.5.42/.travis.yml
--- old/libhtp-0.5.41/.travis.yml 2022-09-27 09:32:46.0 +0200
+++ new/libhtp-0.5.42/.travis.yml 1970-01-01 01:00:00.0 +0100
@@ -1,24 +0,0 @@
-language: c
-compiler:
- - gcc
- - clang
-# Change this to your needs
-script: sh autogen.sh && ./configure && make && (make check || cat
test/test-suite.log) && make distcheck
-before_install:
- - sudo apt-get update -qq
- -
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2022-09-29 18:13:16
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.2275 (New)
Package is "libhtp"
Thu Sep 29 18:13:16 2022 rev:12 rq:1006724 version:0.5.41
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2022-06-28
15:23:16.774023646 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.2275/libhtp.changes 2022-09-29
18:14:00.503331601 +0200
@@ -1,0 +2,8 @@
+Wed Sep 28 08:16:01 UTC 2022 - Michael Str??der
+
+- Update to version 0.5.41
+ * trim white space of invalid folding for first header
+ * clear buffered data for body data
+ * minor optimization for decompression code
+
+---
Old:
libhtp-0.5.40.tar.gz
New:
libhtp-0.5.41.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.mxTBhq/_old 2022-09-29 18:14:01.119332804 +0200
+++ /var/tmp/diff_new_pack.mxTBhq/_new 2022-09-29 18:14:01.123332811 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.40
+Version:0.5.41
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.40.tar.gz -> libhtp-0.5.41.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.40/ChangeLog new/libhtp-0.5.41/ChangeLog
--- old/libhtp-0.5.40/ChangeLog 2022-04-21 07:58:30.0 +0200
+++ new/libhtp-0.5.41/ChangeLog 2022-09-27 09:32:46.0 +0200
@@ -1,3 +1,12 @@
+0.5.41 (27 September 2022)
+--
+
+- trim white space of invalid folding for first header
+
+- clear buffered data for body data
+
+- minor optimization for decompression code
+
0.5.40 (21 April 2022)
--
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.40/VERSION new/libhtp-0.5.41/VERSION
--- old/libhtp-0.5.40/VERSION 2022-04-21 07:58:30.0 +0200
+++ new/libhtp-0.5.41/VERSION 2022-09-27 09:32:46.0 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.40
+PKG_VERSION=0.5.41
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.40/htp/htp_decompressors.c
new/libhtp-0.5.41/htp/htp_decompressors.c
--- old/libhtp-0.5.40/htp/htp_decompressors.c 2022-04-21 07:58:30.0
+0200
+++ new/libhtp-0.5.41/htp/htp_decompressors.c 2022-09-27 09:32:46.0
+0200
@@ -182,10 +182,11 @@
* @param[in] d
* @return HTP_OK on success, HTP_ERROR or some other negative integer on
failure.
*/
-static htp_status_t htp_gzip_decompressor_decompress(htp_decompressor_gzip_t
*drec, htp_tx_data_t *d) {
+htp_status_t htp_gzip_decompressor_decompress(htp_decompressor_t *drec1,
htp_tx_data_t *d) {
size_t consumed = 0;
int rc = 0;
htp_status_t callback_rc;
+htp_decompressor_gzip_t *drec = (htp_decompressor_gzip_t*) drec1;
// Pass-through the NULL chunk, which indicates the end of the stream.
@@ -217,7 +218,7 @@
}
dout.is_last = d->is_last;
if (drec->super.next != NULL && drec->zlib_initialized) {
-return htp_gzip_decompressor_decompress((htp_decompressor_gzip_t
*)drec->super.next, );
+return htp_gzip_decompressor_decompress(drec->super.next, );
} else {
// Send decompressed data to the callback.
callback_rc = drec->super.callback();
@@ -252,7 +253,7 @@
d2.is_last = d->is_last;
if (drec->super.next != NULL && drec->zlib_initialized) {
-callback_rc =
htp_gzip_decompressor_decompress((htp_decompressor_gzip_t *)drec->super.next,
);
+callback_rc =
htp_gzip_decompressor_decompress(drec->super.next, );
} else {
// Send decompressed data to callback.
callback_rc = drec->super.callback();
@@ -337,7 +338,7 @@
d2.is_last = d->is_last;
if (drec->super.next != NULL && drec->zlib_initialized) {
-callback_rc =
htp_gzip_decompressor_decompress((htp_decompressor_gzip_t *)drec->super.next,
);
+callback_rc =
htp_gzip_decompressor_decompress(drec->super.next, );
} else {
// Send decompressed data to the callback.
callback_rc = drec->super.callback();
@@ -404,7 +405,8 @@
*
* @param[in] drec
*/
-static void htp_gzip_decompressor_destroy(htp_decompressor_gzip_t *drec) {
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2022-06-28 15:22:57
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.1548 (New)
Package is "libhtp"
Tue Jun 28 15:22:57 2022 rev:11 rq:985534 version:0.5.40
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2021-11-22
23:04:50.245800489 +0100
+++ /work/SRC/openSUSE:Factory/.libhtp.new.1548/libhtp.changes 2022-06-28
15:23:16.774023646 +0200
@@ -1,0 +2,13 @@
+Mon Jun 27 21:32:51 UTC 2022 - Otto Hollmann
+
+- Update to version 0.5.40
+ * uri: optionally allows spaces in uri
+ * ints: integer handling improvements
+ * headers: continue on nul byte
+ * headers: consistent trailing space handling
+ * list: fix integer overflow
+ * util: remove unused htp_utf8_decode
+ * fix 100-continue with CL 0
+ * lzma: don't do unnecessary realloc
+
+---
Old:
libhtp-0.5.39.tar.gz
New:
libhtp-0.5.40.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.I3tbyf/_old 2022-06-28 15:23:17.154024212 +0200
+++ /var/tmp/diff_new_pack.I3tbyf/_new 2022-06-28 15:23:17.158024219 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libhtp
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.39
+Version:0.5.40
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.39.tar.gz -> libhtp-0.5.40.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.39/ChangeLog new/libhtp-0.5.40/ChangeLog
--- old/libhtp-0.5.39/ChangeLog 2021-11-16 11:36:34.0 +0100
+++ new/libhtp-0.5.40/ChangeLog 2022-04-21 07:58:30.0 +0200
@@ -1,5 +1,24 @@
-0.5.39 (16 Nov 2021)
-
+0.5.40 (21 April 2022)
+--
+
+- uri: optionally allows spaces in uri
+
+- ints: integer handling improvements
+
+- headers: continue on nul byte
+
+- headers: consistent trailing space handling
+
+- list: fix integer overflow
+
+- util: remove unused htp_utf8_decode
+
+- fix 100-continue with CL 0
+
+- lzma: don't do unnecessary realloc
+
+0.5.39 (16 November 2021)
+-
- host: ipv6 address is a valid host
@@ -7,8 +26,8 @@
- test and fuzz improvements
-0.5.38 (30 Jun 2021)
-
+0.5.38 (30 June 2021)
+-
- consume empty lines when parsing chunks to avoid quadratic complexity
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.39/VERSION new/libhtp-0.5.40/VERSION
--- old/libhtp-0.5.39/VERSION 2021-11-16 11:36:34.0 +0100
+++ new/libhtp-0.5.40/VERSION 2022-04-21 07:58:30.0 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.39
+PKG_VERSION=0.5.40
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.39/htp/htp_config.c
new/libhtp-0.5.40/htp/htp_config.c
--- old/libhtp-0.5.39/htp/htp_config.c 2021-11-16 11:36:34.0 +0100
+++ new/libhtp-0.5.40/htp/htp_config.c 2022-04-21 07:58:30.0 +0200
@@ -163,6 +163,7 @@
cfg->response_lzma_layer_limit = 1; // default is only one layer
cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT;
cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC;
+cfg->allow_space_uri = 0;
// Default settings for URL-encoded data.
@@ -566,6 +567,11 @@
cfg->request_decompression_enabled = enabled;
}
+void htp_config_set_allow_space_uri(htp_cfg_t *cfg, int allow_space_uri) {
+if (cfg == NULL) return;
+cfg->allow_space_uri = allow_space_uri;
+}
+
int htp_config_set_server_personality(htp_cfg_t *cfg, enum
htp_server_personality_t personality) {
if (cfg == NULL) return HTP_ERROR;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.39/htp/htp_config.h
new/libhtp-0.5.40/htp/htp_config.h
--- old/libhtp-0.5.39/htp/htp_config.h 2021-11-16 11:36:34.0 +0100
+++ new/libhtp-0.5.40/htp/htp_config.h 2022-04-21 07:58:30.0 +0200
@@ -523,6 +523,14 @@
void htp_config_set_parse_request_cookies(htp_cfg_t *cfg, int
parse_request_cookies);
/**
+ * Enable or disable spaces in URIs. Disabled by default.
+ *
+ *
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2021-11-22 23:04:04
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.1895 (New)
Package is "libhtp"
Mon Nov 22 23:04:04 2021 rev:10 rq:932885 version:0.5.39
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2021-07-08
22:49:49.415818732 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.1895/libhtp.changes 2021-11-22
23:04:50.245800489 +0100
@@ -1,0 +2,8 @@
+Thu Nov 18 20:57:18 UTC 2021 - Martin Hauke
+
+- Update to version 0.5.39
+ * host: ipv6 address is a valid host
+ * util: one char is not always empty line
+ * test and fuzz improvements
+
+---
Old:
libhtp-0.5.38.tar.gz
New:
libhtp-0.5.39.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.fQoxOu/_old 2021-11-22 23:04:50.669799066 +0100
+++ /var/tmp/diff_new_pack.fQoxOu/_new 2021-11-22 23:04:50.669799066 +0100
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.38
+Version:0.5.39
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.38.tar.gz -> libhtp-0.5.39.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.38/ChangeLog new/libhtp-0.5.39/ChangeLog
--- old/libhtp-0.5.38/ChangeLog 2021-06-30 16:04:22.0 +0200
+++ new/libhtp-0.5.39/ChangeLog 2021-11-16 11:36:34.0 +0100
@@ -1,3 +1,12 @@
+0.5.39 (16 Nov 2021)
+
+
+- host: ipv6 address is a valid host
+
+- util: one char is not always empty line
+
+- test and fuzz improvements
+
0.5.38 (30 Jun 2021)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.38/VERSION new/libhtp-0.5.39/VERSION
--- old/libhtp-0.5.38/VERSION 2021-06-30 16:04:22.0 +0200
+++ new/libhtp-0.5.39/VERSION 2021-11-16 11:36:34.0 +0100
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.38
+PKG_VERSION=0.5.39
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.38/htp/htp_util.c
new/libhtp-0.5.39/htp/htp_util.c
--- old/libhtp-0.5.38/htp/htp_util.c2021-06-30 16:04:22.0 +0200
+++ new/libhtp-0.5.39/htp/htp_util.c2021-11-16 11:36:34.0 +0100
@@ -38,6 +38,16 @@
#include "htp_config_auto.h"
+//inet_pton
+#if _WIN32
+#include
+#else // mac, linux, freebsd
+#include
+#include
+#include
+#include
+#endif
+
#include "htp_private.h"
/**
@@ -219,7 +229,7 @@
* @return 0 or 1
*/
int htp_is_line_empty(unsigned char *data, size_t len) {
-if ((len == 1) ||
+if (((len == 1) && ((data[0] == CR) || (data[0] == LF))) ||
((len == 2) && (data[0] == CR) && (data[1] == LF))) {
return 1;
}
@@ -2442,6 +2452,17 @@
if ((len == 0) || (len > 255)) return 0;
+if (data[0] == '[') {
+// only ipv6 possible
+if (len < 2 || len - 2 >= INET6_ADDRSTRLEN) {
+return 0;
+}
+char dst[sizeof(struct in6_addr)];
+char str[INET6_ADDRSTRLEN];
+memcpy(str, data+1, len-2);
+str[len-2] = 0;
+return inet_pton(AF_INET6, str, dst);
+}
while (pos < len) {
// Validate label characters.
startpos = pos;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.38/test/fuzz/fuzz_diff.c
new/libhtp-0.5.39/test/fuzz/fuzz_diff.c
--- old/libhtp-0.5.38/test/fuzz/fuzz_diff.c 1970-01-01 01:00:00.0
+0100
+++ new/libhtp-0.5.39/test/fuzz/fuzz_diff.c 2021-11-16 11:36:34.0
+0100
@@ -0,0 +1,432 @@
+/**
+ * @file
+ * @author Philippe Antoine
+ * fuzz harness for libhtp
+ */
+
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "htp/htp.h"
+#include "test/test.h"
+#include "fuzz_htp.h"
+#include "htp/htp_private.h"
+
+FILE * logfile = NULL;
+
+
+/**
+ * Invoked at the end of every transaction.
+ *
+ * @param[in] connp
+ */
+static int HTPCallbackResponse(htp_tx_t *out_tx) {
+if (out_tx != NULL) {
+char *x = bstr_util_strdup_to_c(out_tx->request_line);
+fprintf(logfile, "HTPCallbackResponse %s\n", x);
+free(x);
+}
+return 0;
+}
+
+static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
+{
+fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n",
(uintmax_t)tx_data->len);
+if
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2021-07-08 22:49:26
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.2625 (New)
Package is "libhtp"
Thu Jul 8 22:49:26 2021 rev:9 rq:905090 version:0.5.38
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2021-03-05
13:51:29.751965104 +0100
+++ /work/SRC/openSUSE:Factory/.libhtp.new.2625/libhtp.changes 2021-07-08
22:49:49.415818732 +0200
@@ -1,0 +2,7 @@
+Sun Jul 4 11:53:54 UTC 2021 - Martin Hauke
+
+- Update to version 0.5.38
+ * consume empty lines when parsing chunks to avoid quadratic
+complexity.
+
+---
Old:
libhtp-0.5.37.tar.gz
New:
libhtp-0.5.38.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.9PzTth/_old 2021-07-08 22:49:49.763816047 +0200
+++ /var/tmp/diff_new_pack.9PzTth/_new 2021-07-08 22:49:49.767816016 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.37
+Version:0.5.38
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.37.tar.gz -> libhtp-0.5.38.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.37/ChangeLog new/libhtp-0.5.38/ChangeLog
--- old/libhtp-0.5.37/ChangeLog 2021-02-27 15:16:55.0 +0100
+++ new/libhtp-0.5.38/ChangeLog 2021-06-30 16:04:22.0 +0200
@@ -1,3 +1,10 @@
+0.5.38 (30 Jun 2021)
+
+
+- consume empty lines when parsing chunks to avoid quadratic complexity
+
+- autotools fix for cygwin
+
0.5.37 (2 March 2021)
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.37/VERSION new/libhtp-0.5.38/VERSION
--- old/libhtp-0.5.37/VERSION 2021-02-27 15:16:55.0 +0100
+++ new/libhtp-0.5.38/VERSION 2021-06-30 16:04:22.0 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.37
+PKG_VERSION=0.5.38
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.37/configure.ac
new/libhtp-0.5.38/configure.ac
--- old/libhtp-0.5.37/configure.ac 2021-02-27 15:16:55.0 +0100
+++ new/libhtp-0.5.38/configure.ac 2021-06-30 16:04:22.0 +0200
@@ -154,6 +154,7 @@
sinclude(m4/lib-link.m4)
sinclude(m4/lib-prefix.m4)
AM_ICONV
+AM_CONDITIONAL([CYGWIN], [test x${OS_CYGWIN} = xtrue])
# iconvctl is not standard, it is defined only in GNU libiconv
AC_MSG_CHECKING(for iconvctl)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.37/htp/Makefile.am
new/libhtp-0.5.38/htp/Makefile.am
--- old/libhtp-0.5.37/htp/Makefile.am 2021-02-27 15:16:55.0 +0100
+++ new/libhtp-0.5.38/htp/Makefile.am 2021-06-30 16:04:22.0 +0200
@@ -29,3 +29,7 @@
libhtp_la_SOURCES =
libhtp_la_LIBADD = libhtp-c.la lzma/liblzma-c.la
libhtp_la_LDFLAGS = -version-info $(GENERIC_LIBRARY_VERSION)
+if CYGWIN
+libhtp_la_LIBADD += $(LIBICONV)
+libhtp_la_LDFLAGS += -no-undefined
+endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.37/htp/htp_response.c
new/libhtp-0.5.38/htp/htp_response.c
--- old/libhtp-0.5.37/htp/htp_response.c2021-02-27 15:16:55.0
+0100
+++ new/libhtp-0.5.38/htp/htp_response.c2021-06-30 16:04:22.0
+0200
@@ -418,8 +418,10 @@
connp->out_chunked_length = htp_parse_chunked_length(data, len);
// empty chunk length line, lets try to continue
-if (connp->out_chunked_length == -1004)
+if (connp->out_chunked_length == -1004) {
+connp->out_current_consume_offset =
connp->out_current_read_offset;
continue;
+}
if (connp->out_chunked_length < 0) {
// reset out_current_read_offset so
htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE
// doesn't miss the first bytes
commit libhtp for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2021-03-05 13:49:13
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.2378 (New)
Package is "libhtp"
Fri Mar 5 13:49:13 2021 rev:8 rq:876951 version:0.5.37
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2020-12-17
17:09:00.845953533 +0100
+++ /work/SRC/openSUSE:Factory/.libhtp.new.2378/libhtp.changes 2021-03-05
13:51:29.751965104 +0100
@@ -1,0 +2,8 @@
+Wed Mar 3 20:52:34 UTC 2021 - Martin Hauke
+
+- Update to version 0.5.37
+ * support request body decompression
+ * several accuracy fixes
+ * fuzz improvments
+
+---
Old:
libhtp-0.5.36.tar.gz
New:
libhtp-0.5.37.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.jfeYoH/_old 2021-03-05 13:51:30.275965607 +0100
+++ /var/tmp/diff_new_pack.jfeYoH/_new 2021-03-05 13:51:30.279965611 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libhtp
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.36
+Version:0.5.37
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.36.tar.gz -> libhtp-0.5.37.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.36/ChangeLog new/libhtp-0.5.37/ChangeLog
--- old/libhtp-0.5.36/ChangeLog 2020-12-03 12:05:03.0 +0100
+++ new/libhtp-0.5.37/ChangeLog 2021-02-27 15:16:55.0 +0100
@@ -1,3 +1,12 @@
+0.5.37 (2 March 2021)
+-
+
+- support request body decompression
+
+- several accuracy fixes
+
+- fuzz improvments
+
0.5.36 (3 December 2020)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.36/VERSION new/libhtp-0.5.37/VERSION
--- old/libhtp-0.5.36/VERSION 2020-12-03 12:05:03.0 +0100
+++ new/libhtp-0.5.37/VERSION 2021-02-27 15:16:55.0 +0100
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.36
+PKG_VERSION=0.5.37
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.36/htp/htp_config.c
new/libhtp-0.5.37/htp/htp_config.c
--- old/libhtp-0.5.36/htp/htp_config.c 2020-12-03 12:05:03.0 +0100
+++ new/libhtp-0.5.37/htp/htp_config.c 2021-02-27 15:16:55.0 +0100
@@ -153,6 +153,7 @@
cfg->field_limit_soft = HTP_FIELD_LIMIT_SOFT;
cfg->log_level = HTP_LOG_NOTICE;
cfg->response_decompression_enabled = 1;
+cfg->request_decompression_enabled = 0; // disabled by default
cfg->parse_request_cookies = 1;
cfg->parse_request_auth = 1;
cfg->extract_request_files = 0;
@@ -560,6 +561,11 @@
cfg->response_decompression_enabled = enabled;
}
+void htp_config_set_request_decompression(htp_cfg_t *cfg, int enabled) {
+if (cfg == NULL) return;
+cfg->request_decompression_enabled = enabled;
+}
+
int htp_config_set_server_personality(htp_cfg_t *cfg, enum
htp_server_personality_t personality) {
if (cfg == NULL) return HTP_ERROR;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.36/htp/htp_config.h
new/libhtp-0.5.37/htp/htp_config.h
--- old/libhtp-0.5.36/htp/htp_config.h 2020-12-03 12:05:03.0 +0100
+++ new/libhtp-0.5.37/htp/htp_config.h 2021-02-27 15:16:55.0 +0100
@@ -577,6 +577,14 @@
void htp_config_set_response_decompression(htp_cfg_t *cfg, int enabled);
/**
+ * Controls whether compressed request bodies will be automatically
decompressed.
+ *
+ * @param[in] cfg
+ * @param[in] enabled set to 1 to enable decompression, 0 otherwise
+ */
+void htp_config_set_request_decompression(htp_cfg_t *cfg, int enabled);
+
+/**
* Configure desired server personality.
*
* @param[in] cfg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.36/htp/htp_config_private.h
new/libhtp-0.5.37/htp/htp_config_private.h
--- old/libhtp-0.5.36/htp/htp_config_private.h 2020-12-03 12:05:03.0
+0100
+++ new/libhtp-0.5.37/htp/htp_config_private.h 2021-02-27 15:16:55.0
+0100
@@ -354,6 +354,9 @@
/** How many layers of compression we will decompress (0 => no lzma). */
int
commit libhtp for openSUSE:Factory
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2020-12-17 17:05:21
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.5145 (New)
Package is "libhtp"
Thu Dec 17 17:05:21 2020 rev:7 rq:856480 version:0.5.36
Changes:
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes2020-10-10
19:05:14.196511095 +0200
+++ /work/SRC/openSUSE:Factory/.libhtp.new.5145/libhtp.changes 2020-12-17
17:09:00.845953533 +0100
@@ -1,0 +2,6 @@
+Fri Dec 4 17:09:01 UTC 2020 - Martin Hauke
+
+- Update to version 0.5.36
+ * fix a http pipelining issue
+
+---
Old:
libhtp-0.5.35.tar.gz
New:
libhtp-0.5.36.tar.gz
Other differences:
--
++ libhtp.spec ++
--- /var/tmp/diff_new_pack.c8a6r3/_old 2020-12-17 17:09:01.357954041 +0100
+++ /var/tmp/diff_new_pack.c8a6r3/_new 2020-12-17 17:09:01.361954046 +0100
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version:0.5.35
+Version:0.5.36
Release:0
Summary:HTTP normalizer and parser
License:BSD-3-Clause
++ libhtp-0.5.35.tar.gz -> libhtp-0.5.36.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.35/ChangeLog new/libhtp-0.5.36/ChangeLog
--- old/libhtp-0.5.35/ChangeLog 2020-10-05 12:04:03.0 +0200
+++ new/libhtp-0.5.36/ChangeLog 2020-12-03 12:05:03.0 +0100
@@ -1,4 +1,10 @@
+0.5.36 (3 December 2020)
+
+
+- fix a http pipelining issue (#304, fixed by #312)
+
0.5.35 (8 October 2020)
+---
- fix memory leak in tunnel traffoc
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.35/VERSION new/libhtp-0.5.36/VERSION
--- old/libhtp-0.5.35/VERSION 2020-10-05 12:04:03.0 +0200
+++ new/libhtp-0.5.36/VERSION 2020-12-03 12:05:03.0 +0100
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.35
+PKG_VERSION=0.5.36
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.35/htp/htp_request.c
new/libhtp-0.5.36/htp/htp_request.c
--- old/libhtp-0.5.35/htp/htp_request.c 2020-10-05 12:04:03.0 +0200
+++ new/libhtp-0.5.36/htp/htp_request.c 2020-12-03 12:05:03.0 +0100
@@ -843,11 +843,11 @@
}
if (connp->in_next_byte != LF || connp->in_current_consume_offset >=
connp->in_current_read_offset) {
for (;;) {//;i < max_read; i++) {
-IN_COPY_BYTE_OR_RETURN(connp);
-// Have we reached the end of the line? For some reason
-// we can't test after IN_COPY_BYTE_OR_RETURN */
+// peek until LF but do not mark it read so that REQ_LINE works
+IN_PEEK_NEXT(connp);
if (connp->in_next_byte == LF)
break;
+IN_COPY_BYTE_OR_RETURN(connp);
}
}
}
@@ -877,43 +877,34 @@
while ((pos < len) && (!htp_is_space(data[pos])))
pos++;
-if (pos <= mstart) {
-//empty whitespace line
-htp_status_t rc = htp_tx_req_process_body_data_ex(connp->in_tx, data,
len);
-htp_connp_req_clear_buffer(connp);
-return rc;
-} else {
+if (pos > mstart) {
+//non empty whitespace line
int methodi = HTP_M_UNKNOWN;
bstr *method = bstr_dup_mem(data + mstart, pos - mstart);
if (method) {
methodi = htp_convert_method_to_number(method);
bstr_free(method);
}
-if (methodi == HTP_M_UNKNOWN) {
-if (connp->in_body_data_left <= 0) {
-// log only once per transaction
-htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Unexpected
request body");
-} else {
-connp->in_body_data_left = 1;
-}
-// Interpret remaining bytes as body data
-htp_status_t rc = htp_tx_req_process_body_data_ex(connp->in_tx,
data, len);
-htp_connp_req_clear_buffer(connp);
-return rc;
+if (methodi != HTP_M_UNKNOWN) {
+connp->in_body_data_left = -1;
+return htp_tx_state_request_complete(connp->in_tx);
} // else continue
-connp->in_body_data_left = -1;
-}
-//unread last end of line so that REQ_LINE works
-if (connp->in_current_read_offset < (int64_t)len) {
-connp->in_current_read_offset=0;
-} else {
-connp->in_current_read_offset-=len;
-}
-if
