[
https://issues.apache.org/jira/browse/TS-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alan M. Carroll closed TS-3202.
-------------------------------
Resolution: Fixed
Fix Version/s: 5.2.0
> HTTP Parsing should not allow CTL characters in the method
> ----------------------------------------------------------
>
> Key: TS-3202
> URL: https://issues.apache.org/jira/browse/TS-3202
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
> Fix For: 5.2.0
>
> Attachments: TS-3202.diff
>
>
> http_parser_parse_req() will mark a series of bytes as a correctly parsed
> HTTP request if it meets the following constraints.
> <bytes excluding white space>+ <white space>+ <bytes excluding white
> space>+\n
> The first set of bytes is the method. The current code will match a bunch of
> control characters as a valid method (found via a case in production).
> Assuming the second set of bytes does not contain a valid domain name, the
> processing will eventually fail and return to the client a message about not
> being able to resolve the DNS address, which is confusing.
> Looking at the W3 specs, it looks like HTTP 1.1 has the most lax rules for
> what characters can form a method token. From my reading, a method can be
> any token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1),
> and any character but white space and control characters are allowed to be in
> a token (http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2).
> To improve the accuracy of our processing (and the accuracy of our error
> messages), I'd like to change the parsing of the method token in
> http_parser_parse_req() to restrict control characters from the method token
> as well as the white space characters.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
