libmicrohttpd

HTTP/1.x server C library (MHD 1.x, stable)
Log | Files | Refs | Submodules | README | LICENSE
commit 5717a9ec22d72d4d4202dfd3e1071ded9182e51e
parent 785ae52b3e397baf21400512ef2b4641b4170049
Author: Christian Grothoff <christian@grothoff.org>
Date:   Thu,  1 Mar 2018 13:29:58 +0100

expand strictness to cover spaces in URL

Diffstat:

Msrc/include/microhttpd.h | 20++++++++++++--------


Msrc/lib/connection_call_handlers.c | 8++++++++


Msrc/microhttpd/connection.c | 8++++++++


3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
@@ -1470,14 +1470,18 @@ enum MHD_OPTION
   MHD_OPTION_LISTEN_BACKLOG_SIZE = 28,
 
   /**
-   * If set to 1 - be strict about the protocol (as opposed to as
-   * tolerant as possible).  Specifically, at the moment, this flag
-   * causes MHD to reject HTTP 1.1 connections without a "Host" header.
-   * This is required by the standard, but of course in violation of
-   * the "be as liberal as possible in what you accept" norm.  It is
-   * recommended to set this to 1 if you are testing clients against
-   * MHD, and 0 in production.
-   * This option should be followed by an `int` argument.
+   * If set to 1 - be strict about the protocol.  Use -1 to be
+   * as tolerant as possible.
+   *
+   * Specifically, at the moment, at 1 this flag
+   * causes MHD to reject HTTP 1.1 connections without a "Host" header,
+   * and to disallow spaces in the URL or (at -1) in HTTP header key strings.
+   *
+   * These are required by some versions of the standard, but of
+   * course in violation of the "be as liberal as possible in what you
+   * accept" norm.  It is recommended to set this to 1 if you are
+   * testing clients against MHD, and 0 in production.  This option
+   * should be followed by an `int` argument.
    */
   MHD_OPTION_STRICT_FOR_CLIENT = 29
 };
diff --git a/src/lib/connection_call_handlers.c b/src/lib/connection_call_handlers.c
@@ -1803,6 +1803,14 @@ parse_initial_message_line (struct MHD_Request *request,
                          line_len - (uri - line));
         }
     }
+  if ( (1 <= daemon->strict_for_client) &&
+       (NULL != memchr (line,
+                        ' ',
+                        http_version - line)) )
+    {
+      /* space exists in URI and we are supposed to be strict, reject */
+      return MHD_NO;
+    }
   if (NULL != daemon->early_uri_logger_cb)
     {
       request->client_context
diff --git a/src/microhttpd/connection.c b/src/microhttpd/connection.c
@@ -2241,6 +2241,14 @@ parse_initial_message_line (struct MHD_Connection *connection,
                          line_len - (uri - line));
         }
     }
+  if ( (1 <= daemon->strict_for_client) &&
+       (NULL != memchr (line,
+                        ' ',
+                        http_version - line)) )
+    {
+      /* space exists in URI and we are supposed to be strict, reject */
+      return MHD_NO;
+    }
   if (NULL != daemon->uri_log_callback)
     {
       connection->client_aware = true;