diff options
author | David Kalnischkies <david@kalnischkies.de> | 2016-08-12 22:13:09 +0200 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2016-10-05 21:53:38 +0200 |
commit | c0475a2283d662a375295c1477d7193cef823832 (patch) | |
tree | dbc40bc1b5a65062b25a5de6a860cbfc3a8d2143 /methods/server.cc | |
parent | bc8c6ca0c1815b1c3141c177939e1efbdc9862e9 (diff) |
http(s): allow empty values for header fields
It seems completely pointless from a server-POV to sent empty header
fields, so most of them don't do it (simply proven by this limitation
existing since day one) – but it is technically allowed by the RFC as
the surounding whitespaces are optional and Github seems to like sending
"X-Geo-Block-List:\r\n" since recently (bug reports in other http
clients indicate July) at least sometimes as the reporter claims to have
seen it on https only even through it can happen with both.
Closes: 834048
(cherry picked from commit 148c049150cc39f2e40894c1684dc2aefea1117e)
Diffstat (limited to 'methods/server.cc')
-rw-r--r-- | methods/server.cc | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/methods/server.cc b/methods/server.cc index 2dc0b54b8..adc242538 100644 --- a/methods/server.cc +++ b/methods/server.cc @@ -102,25 +102,7 @@ bool ServerState::HeaderLine(string Line) if (Line.empty() == true) return true; - string::size_type Pos = Line.find(' '); - if (Pos == string::npos || Pos+1 > Line.length()) - { - // Blah, some servers use "connection:closes", evil. - Pos = Line.find(':'); - if (Pos == string::npos || Pos + 2 > Line.length()) - return _error->Error(_("Bad header line")); - Pos++; - } - - // Parse off any trailing spaces between the : and the next word. - string::size_type Pos2 = Pos; - while (Pos2 < Line.length() && isspace_ascii(Line[Pos2]) != 0) - Pos2++; - - string Tag = string(Line,0,Pos); - string Val = string(Line,Pos2); - - if (stringcasecmp(Tag.c_str(),Tag.c_str()+4,"HTTP") == 0) + if (Line.size() > 4 && stringcasecmp(Line.data(), Line.data()+4, "HTTP") == 0) { // Evil servers return no version if (Line[4] == '/') @@ -164,6 +146,21 @@ bool ServerState::HeaderLine(string Line) return true; } + // Blah, some servers use "connection:closes", evil. + // and some even send empty header fields… + string::size_type Pos = Line.find(':'); + if (Pos == string::npos) + return _error->Error(_("Bad header line")); + ++Pos; + + // Parse off any trailing spaces between the : and the next word. + string::size_type Pos2 = Pos; + while (Pos2 < Line.length() && isspace_ascii(Line[Pos2]) != 0) + Pos2++; + + string const Tag(Line,0,Pos); + string const Val(Line,Pos2); + if (stringcasecmp(Tag,"Content-Length:") == 0) { if (Encoding == Closes) |