CVSROOT: /cvs
Module name: src
Changes by: mill...@cvs.openbsd.org 2023/11/28 11:36:55
Modified files:
usr.sbin/relayd: relay_http.c
Log message:
relay_read_http: tighten up header parsing
1) reject headers with embedded NULs
2) reject headers with invalid characters in the name
3) reject Transfer-Encoding with values other than "chunked"
4) reject chunk values containing non-hex characters
5) reject Content-Length values of "+0" or "-0"
6) reject requests without a ' ' and headers without a ':'
Reported by Ben Kallus, OK bluhm@
