diff options
| author |   jsg <jsg@openbsd.org> | 2015-04-18 09:27:54 +0000 |
|---|---|---|
| committer | jsg <jsg@openbsd.org> | 2015-04-18 09:27:54 +0000 |
| commit | 8757e0cc438aba5d165dfcba7a87e597b1f1da5e (patch) | |
| tree | bde850179f1d4979a6dfc33fc47bb87af6c2ac77 | |
| parent | i386 and amd64 have only one syscall entry point now, so simply the (diff) | |
| download | wireguard-openbsd-8757e0cc438aba5d165dfcba7a87e597b1f1da5e.tar.xz wireguard-openbsd-8757e0cc438aba5d165dfcba7a87e597b1f1da5e.zip | |
Regis Leroy reported that httpd does not strictly accept CRLF for
newlines which could lead to http response splitting/smuggling
if a badly behaved proxy is in front of httpd.
Switch from evbuffer_readline() to evbuffer_readln() with
EVBUFFER_EOL_CRLF_STRICT to avoid this.
ok florian@
| -rw-r--r-- | usr.sbin/httpd/server_http.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c index eb47331930e..82fed5c146e 100644 --- a/usr.sbin/httpd/server_http.c +++ b/usr.sbin/httpd/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.77 2015/04/09 16:48:29 florian Exp $ */ +/* $OpenBSD: server_http.c,v 1.78 2015/04/18 09:27:54 jsg Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -225,7 +225,8 @@ server_read_http(struct bufferevent *bev, void *arg) goto done; } - while (!clt->clt_done && (line = evbuffer_readline(src)) != NULL) { + while (!clt->clt_done && (line = + evbuffer_readln(src, NULL, EVBUFFER_EOL_CRLF_STRICT)) != NULL) { linelen = strlen(line); /* @@ -536,7 +537,7 @@ server_read_httpchunks(struct bufferevent *bev, void *arg) } switch (clt->clt_toread) { case TOREAD_HTTP_CHUNK_LENGTH: - line = evbuffer_readline(src); + line = evbuffer_readln(src, NULL, EVBUFFER_EOL_CRLF_STRICT); if (line == NULL) { /* Ignore empty line, continue */ bufferevent_enable(bev, EV_READ); @@ -571,7 +572,7 @@ server_read_httpchunks(struct bufferevent *bev, void *arg) break; case TOREAD_HTTP_CHUNK_TRAILER: /* Last chunk is 0 bytes followed by trailer and empty line */ - line = evbuffer_readline(src); + line = evbuffer_readln(src, NULL, EVBUFFER_EOL_CRLF_STRICT); if (line == NULL) { /* Ignore empty line, continue */ bufferevent_enable(bev, EV_READ); @@ -591,7 +592,7 @@ server_read_httpchunks(struct bufferevent *bev, void *arg) break; case 0: /* Chunk is terminated by an empty newline */ - line = evbuffer_readline(src); + line = evbuffer_readln(src, NULL, EVBUFFER_EOL_CRLF_STRICT); if (line != NULL) free(line); if (server_bufferevent_print(clt, "\r\n") == -1) |