summaryrefslogtreecommitdiff
path: root/networking
diff options
context:
space:
mode:
authorDenys Vlasenko2013-03-25 23:27:00 +0100
committerDenys Vlasenko2013-03-25 23:27:00 +0100
commit85daa67bc2e0abc7c9661f7652a462185dd7f6b5 (patch)
treef8d27b8e6db9439ea7078e635ebbb4322816d51b /networking
parentc608731e78736ec177461577e505e250f2dd3614 (diff)
downloadbusybox-85daa67bc2e0abc7c9661f7652a462185dd7f6b5.zip
busybox-85daa67bc2e0abc7c9661f7652a462185dd7f6b5.tar.gz
httpd: don't allow tabs and multiple spaces in request string
HTTP standard doesn't allow it and no sane clients should ever use it. function old new delta handle_incoming_and_exit 2795 2785 -10 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'networking')
-rw-r--r--networking/httpd.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/networking/httpd.c b/networking/httpd.c
index 1934bb2..b46eb0f 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
send_headers_and_exit(HTTP_BAD_REQUEST);
/* Determine type of request (GET/POST) */
- urlp = strpbrk(iobuf, " \t");
+ // rfc2616: method and URI is separated by exactly one space
+ //urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
+ urlp = strchr(iobuf, ' ');
if (urlp == NULL)
send_headers_and_exit(HTTP_BAD_REQUEST);
*urlp++ = '\0';
@@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
if (strcasecmp(iobuf, request_GET) != 0)
send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
#endif
- urlp = skip_whitespace(urlp);
+ // rfc2616: method and URI is separated by exactly one space
+ //urlp = skip_whitespace(urlp); - should not be necessary
if (urlp[0] != '/')
send_headers_and_exit(HTTP_BAD_REQUEST);