aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLoïc Hoguin <[email protected]>2017-11-29 18:10:11 +0100
committerLoïc Hoguin <[email protected]>2017-11-29 18:10:11 +0100
commitd50bab8e7849d01da4a59c17ea8dbc59d6d9a08d (patch)
tree028adc62e6641dd42aaffa8585fc49f0348c481d
parent14b4afa6699d18d2a5317b6f438287f550e9cee4 (diff)
downloadcowboy-d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d.tar.gz
cowboy-d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d.tar.bz2
cowboy-d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d.zip
Reject absolute URIs with userinfo components in HTTP/1.1
-rw-r--r--src/cowboy_http.erl2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index d3d123e..0f0537b 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -394,6 +394,8 @@ parse_uri_skip_host(<< C, Rest/bits >>, State, Method) ->
case C of
$\r -> error_terminate(400, State, {connection_error, protocol_error,
'The request-target must not be followed by a line break. (RFC7230 3.1.1)'});
+ $@ -> error_terminate(400, State, {connection_error, protocol_error,
+ 'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'});
$/ -> parse_uri_path(Rest, State, Method, <<"/">>);
$\s -> parse_version(Rest, State, Method, <<"/">>, <<>>);
$? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>);