diff options
author | Denys Vlasenko | 2013-03-25 23:27:00 +0100 |
---|---|---|
committer | Denys Vlasenko | 2013-03-25 23:27:00 +0100 |
commit | 85daa67bc2e0abc7c9661f7652a462185dd7f6b5 (patch) | |
tree | f8d27b8e6db9439ea7078e635ebbb4322816d51b /networking | |
parent | c608731e78736ec177461577e505e250f2dd3614 (diff) | |
download | busybox-85daa67bc2e0abc7c9661f7652a462185dd7f6b5.zip busybox-85daa67bc2e0abc7c9661f7652a462185dd7f6b5.tar.gz |
httpd: don't allow tabs and multiple spaces in request string
HTTP standard doesn't allow it and no sane clients should ever use it.
function old new delta
handle_incoming_and_exit 2795 2785 -10
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'networking')
-rw-r--r-- | networking/httpd.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/networking/httpd.c b/networking/httpd.c index 1934bb2..b46eb0f 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) send_headers_and_exit(HTTP_BAD_REQUEST); /* Determine type of request (GET/POST) */ - urlp = strpbrk(iobuf, " \t"); + // rfc2616: method and URI is separated by exactly one space + //urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed + urlp = strchr(iobuf, ' '); if (urlp == NULL) send_headers_and_exit(HTTP_BAD_REQUEST); *urlp++ = '\0'; @@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) if (strcasecmp(iobuf, request_GET) != 0) send_headers_and_exit(HTTP_NOT_IMPLEMENTED); #endif - urlp = skip_whitespace(urlp); + // rfc2616: method and URI is separated by exactly one space + //urlp = skip_whitespace(urlp); - should not be necessary if (urlp[0] != '/') send_headers_and_exit(HTTP_BAD_REQUEST); |