libmicrohttpd

HTTP/1.x server C library (MHD 1.x, stable)
Log | Files | Refs | Submodules | README | LICENSE
commit e95ec4874da57b153ecea27fa553ae8a19b4a280
parent ef49636130061c379821d60c58ef51468bf9e039
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sun, 23 Apr 2017 20:07:10 +0200

enforce RFC 7230 no-whitespace in header field name rule if MHD_USE_PEDANTIC_CHECKS is set

Diffstat:

MChangeLog | 4++++


Msrc/examples/minimal_example.c | 2+-


Msrc/microhttpd/connection.c | 16++++++++++++++++


Msrc/microhttpd/digestauth.c | 2+-


4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+Sun Apr 23 20:05:44 CEST 2017
+	Enforce RFC 7230's rule on no whitespace in HTTP header
+	field names if MHD_USE_PEDANTIC_CHECKS is set. -CG
+
 Sun Apr 23 19:20:33 CEST 2017
 	Replace remaining occurences of sprintf() with
 	MHD_snprintf_(). Thanks to Ram for pointing this out. -CG
diff --git a/src/examples/minimal_example.c b/src/examples/minimal_example.c
@@ -68,7 +68,7 @@ main (int argc, char *const *argv)
       return 1;
     }
   d = MHD_start_daemon (// MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
-                        MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
+                        MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_PEDANTIC_CHECKS | MHD_USE_ERROR_LOG,
                         // MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_POLL,
 			// MHD_USE_THREAD_PER_CONNECTION | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_POLL,
 			// MHD_USE_THREAD_PER_CONNECTION | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
diff --git a/src/microhttpd/connection.c b/src/microhttpd/connection.c
@@ -2213,6 +2213,22 @@ process_header_line (struct MHD_Connection *connection,
 			      _("Received malformed line (no colon). Closing connection.\n"));
       return MHD_NO;
     }
+  if (0 != (MHD_USE_PEDANTIC_CHECKS & connection->daemon->options))
+    {
+      /* check for whitespace before colon, which is not allowed
+	 by RFC 7230 section 3.2.4; we count space ' ' and
+	 tab '\t', but not '\r\n' as those would have ended the line. */
+      const char *white;
+
+      white = strchr (line, ' ');
+      if ( (NULL != white) &&
+	   (white < colon) )
+	return MHD_NO;
+      white = strchr (line, '\t');
+      if ( (NULL != white) &&
+	   (white < colon) )
+	return MHD_NO;
+    }
   /* zero-terminate header */
   colon[0] = '\0';
   colon++;                      /* advance to value */
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
@@ -413,7 +413,7 @@ check_nonce_nc (struct MHD_Connection *connection,
     {
       /* Fresh nonce, reinitialize array */
       strcpy (nn->nonce,
-              nonce);
+	      nonce);
       nn->nc = 0;
       nn->nmask = 0;
       MHD_mutex_unlock_chk_ (&daemon->nnc_lock);