httpd: don't allow tabs and multiple spaces in request string

HTTP standard doesn't allow it and no sane clients should ever use it.

function                                             old     new   delta
handle_incoming_and_exit                            2795    2785     -10

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2013-03-25 23:27:00 +01:00
parent c608731e78
commit 85daa67bc2

View File

@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
send_headers_and_exit(HTTP_BAD_REQUEST); send_headers_and_exit(HTTP_BAD_REQUEST);
/* Determine type of request (GET/POST) */ /* Determine type of request (GET/POST) */
urlp = strpbrk(iobuf, " \t"); // rfc2616: method and URI is separated by exactly one space
//urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
urlp = strchr(iobuf, ' ');
if (urlp == NULL) if (urlp == NULL)
send_headers_and_exit(HTTP_BAD_REQUEST); send_headers_and_exit(HTTP_BAD_REQUEST);
*urlp++ = '\0'; *urlp++ = '\0';
@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
if (strcasecmp(iobuf, request_GET) != 0) if (strcasecmp(iobuf, request_GET) != 0)
send_headers_and_exit(HTTP_NOT_IMPLEMENTED); send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
#endif #endif
urlp = skip_whitespace(urlp); // rfc2616: method and URI is separated by exactly one space
//urlp = skip_whitespace(urlp); - should not be necessary
if (urlp[0] != '/') if (urlp[0] != '/')
send_headers_and_exit(HTTP_BAD_REQUEST); send_headers_and_exit(HTTP_BAD_REQUEST);