diff options
| author | Loïc Hoguin <[email protected]> | 2017-11-29 18:33:50 +0100 |
|---|---|---|
| committer | Loïc Hoguin <[email protected]> | 2017-11-29 18:33:50 +0100 |
| commit | 8d9404e9b64a84117e765caa9b79877a15e5b693 (patch) | |
| tree | 21e8d809c8faaec3dd53d32717197ad79775f9f7 | |
| parent | d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d (diff) | |
| download | cowboy-8d9404e9b64a84117e765caa9b79877a15e5b693.tar.gz cowboy-8d9404e9b64a84117e765caa9b79877a15e5b693.tar.bz2 cowboy-8d9404e9b64a84117e765caa9b79877a15e5b693.zip | |
Reject absolute URIs with no authority components
| -rw-r--r-- | src/cowboy_http.erl | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl index 0f0537b..6e1bc99 100644 --- a/src/cowboy_http.erl +++ b/src/cowboy_http.erl @@ -379,28 +379,34 @@ parse_method(<< C, Rest/bits >>, State, SoFar, Remaining) -> parse_uri(<< H, T, T, P, "://", Rest/bits >>, State, Method) when H =:= $h orelse H =:= $H, T =:= $t orelse T =:= $T; P =:= $p orelse P =:= $P -> - parse_uri_skip_host(Rest, State, Method); + parse_uri_skip_host(Rest, State, Method, <<>>); parse_uri(<< H, T, T, P, S, "://", Rest/bits >>, State, Method) when H =:= $h orelse H =:= $H, T =:= $t orelse T =:= $T; P =:= $p orelse P =:= $P; S =:= $s orelse S =:= $S -> - parse_uri_skip_host(Rest, State, Method); + parse_uri_skip_host(Rest, State, Method, <<>>); parse_uri(<< $/, Rest/bits >>, State, Method) -> parse_uri_path(Rest, State, Method, << $/ >>); parse_uri(_, State, _) -> error_terminate(400, State, {connection_error, protocol_error, 'Invalid request-line or request-target. (RFC7230 3.1.1, RFC7230 5.3)'}). -parse_uri_skip_host(<< C, Rest/bits >>, State, Method) -> +parse_uri_skip_host(<< C, Rest/bits >>, State, Method, SoFar) -> case C of - $\r -> error_terminate(400, State, {connection_error, protocol_error, - 'The request-target must not be followed by a line break. (RFC7230 3.1.1)'}); - $@ -> error_terminate(400, State, {connection_error, protocol_error, - 'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'}); + $\r -> + error_terminate(400, State, {connection_error, protocol_error, + 'The request-target must not be followed by a line break. (RFC7230 3.1.1)'}); + $@ -> + error_terminate(400, State, {connection_error, protocol_error, + 'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'}); + C when SoFar =:= <<>> andalso + ((C =:= $/) orelse (C =:= $\s) orelse (C =:= $?) orelse (C =:= $#)) -> + error_terminate(400, State, {connection_error, protocol_error, + 'Absolute URIs must include an authority component. (RFC7230 2.7.1)'}); $/ -> parse_uri_path(Rest, State, Method, <<"/">>); $\s -> parse_version(Rest, State, Method, <<"/">>, <<>>); $? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>); $# -> skip_uri_fragment(Rest, State, Method, <<"/">>, <<>>); - _ -> parse_uri_skip_host(Rest, State, Method) + C -> parse_uri_skip_host(Rest, State, Method, <<SoFar/binary, C>>) end. parse_uri_path(<< C, Rest/bits >>, State, Method, SoFar) -> |