path: root/src
diff options
authorLoïc Hoguin <[email protected]>2019-10-02 13:31:13 +0200
committerLoïc Hoguin <[email protected]>2019-10-02 13:31:13 +0200
commita14ecf19c68ba5b9eb828a41356b1adbc1c5739c (patch)
tree7f73ffc12263eea51a7b20518db65012721a2c7e /src
parent8e315485975601b62a820df0f0283d83a13fc40b (diff)
Add more HTTP/1.1 header parsing tests
Fix a case where Cowboy was waiting for more data that simply did not come. Now Cowboy will generate an error immediately when a header line has no colon separator. These test cases come from known request smuggling attack vectors. Cowboy was not vulnerable to any of them.
Diffstat (limited to 'src')
1 files changed, 10 insertions, 1 deletions
diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index 5136a3b..a6c640a 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -541,7 +541,16 @@ parse_header_colon(Buffer, State=#state{opts=Opts, in_state=PS}, Headers) ->
{connection_error, limit_reached,
'A header name is larger than configuration allows. (RFC7230 3.2.5, RFC6585 5)'});
nomatch ->
- {more, State#state{in_state=PS#ps_header{headers=Headers}}, Buffer};
+ %% We don't have a colon but we might have an invalid header line,
+ %% so check if we have an LF and abort with an error if we do.
+ case match_eol(Buffer, 0) of
+ nomatch ->
+ {more, State#state{in_state=PS#ps_header{headers=Headers}}, Buffer};
+ _ ->
+ error_terminate(400, State#state{in_state=PS#ps_header{headers=Headers}},
+ {connection_error, protocol_error,
+ 'A header line is missing a colon separator. (RFC7230 3.2.4)'})
+ end;
_ ->
parse_hd_name(Buffer, State, Headers, <<>>)