diff options
author | Loïc Hoguin <[email protected]> | 2017-11-29 18:10:11 +0100 |
---|---|---|
committer | Loïc Hoguin <[email protected]> | 2017-11-29 18:10:11 +0100 |
commit | d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d (patch) | |
tree | 028adc62e6641dd42aaffa8585fc49f0348c481d | |
parent | 14b4afa6699d18d2a5317b6f438287f550e9cee4 (diff) | |
download | cowboy-d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d.tar.gz cowboy-d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d.tar.bz2 cowboy-d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d.zip |
Reject absolute URIs with userinfo components in HTTP/1.1
-rw-r--r-- | src/cowboy_http.erl | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl index d3d123e..0f0537b 100644 --- a/src/cowboy_http.erl +++ b/src/cowboy_http.erl @@ -394,6 +394,8 @@ parse_uri_skip_host(<< C, Rest/bits >>, State, Method) -> case C of $\r -> error_terminate(400, State, {connection_error, protocol_error, 'The request-target must not be followed by a line break. (RFC7230 3.1.1)'}); + $@ -> error_terminate(400, State, {connection_error, protocol_error, + 'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'}); $/ -> parse_uri_path(Rest, State, Method, <<"/">>); $\s -> parse_version(Rest, State, Method, <<"/">>, <<>>); $? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>); |