[git commit] httpd: don't allow tabs and multiple spaces in request string
Denys Vlasenko
vda.linux at googlemail.com
Mon Mar 25 22:27:00 UTC 2013
commit: http://git.busybox.net/busybox/commit/?id=85daa67bc2e0abc7c9661f7652a462185dd7f6b5
branch: http://git.busybox.net/busybox/commit/?id=refs/heads/master
HTTP standard doesn't allow it and no sane clients should ever use it.
function old new delta
handle_incoming_and_exit 2795 2785 -10
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
networking/httpd.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/networking/httpd.c b/networking/httpd.c
index 1934bb2..b46eb0f 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
send_headers_and_exit(HTTP_BAD_REQUEST);
/* Determine type of request (GET/POST) */
- urlp = strpbrk(iobuf, " \t");
+ // rfc2616: method and URI is separated by exactly one space
+ //urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
+ urlp = strchr(iobuf, ' ');
if (urlp == NULL)
send_headers_and_exit(HTTP_BAD_REQUEST);
*urlp++ = '\0';
@@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
if (strcasecmp(iobuf, request_GET) != 0)
send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
#endif
- urlp = skip_whitespace(urlp);
+ // rfc2616: method and URI is separated by exactly one space
+ //urlp = skip_whitespace(urlp); - should not be necessary
if (urlp[0] != '/')
send_headers_and_exit(HTTP_BAD_REQUEST);
More information about the busybox-cvs
mailing list