From 8d9404e9b64a84117e765caa9b79877a15e5b693 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Wed, 29 Nov 2017 18:33:50 +0100
Subject: Reject absolute URIs with no authority components

---
 src/cowboy_http.erl | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index 0f0537b..6e1bc99 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -379,28 +379,34 @@ parse_method(<< C, Rest/bits >>, State, SoFar, Remaining) ->
 parse_uri(<< H, T, T, P, "://", Rest/bits >>, State, Method)
 		when H =:= $h orelse H =:= $H, T =:= $t orelse T =:= $T;
 			P =:= $p orelse P =:= $P ->
-	parse_uri_skip_host(Rest, State, Method);
+	parse_uri_skip_host(Rest, State, Method, <<>>);
 parse_uri(<< H, T, T, P, S, "://", Rest/bits >>, State, Method)
 		when H =:= $h orelse H =:= $H, T =:= $t orelse T =:= $T;
 			P =:= $p orelse P =:= $P; S =:= $s orelse S =:= $S ->
-	parse_uri_skip_host(Rest, State, Method);
+	parse_uri_skip_host(Rest, State, Method, <<>>);
 parse_uri(<< $/, Rest/bits >>, State, Method) ->
 	parse_uri_path(Rest, State, Method, << $/ >>);
 parse_uri(_, State, _) ->
 	error_terminate(400, State, {connection_error, protocol_error,
 		'Invalid request-line or request-target. (RFC7230 3.1.1, RFC7230 5.3)'}).
 
-parse_uri_skip_host(<< C, Rest/bits >>, State, Method) ->
+parse_uri_skip_host(<< C, Rest/bits >>, State, Method, SoFar) ->
 	case C of
-		$\r -> error_terminate(400, State, {connection_error, protocol_error,
-			'The request-target must not be followed by a line break. (RFC7230 3.1.1)'});
-		$@ -> error_terminate(400, State, {connection_error, protocol_error,
-			'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'});
+		$\r ->
+			error_terminate(400, State, {connection_error, protocol_error,
+				'The request-target must not be followed by a line break. (RFC7230 3.1.1)'});
+		$@ ->
+			error_terminate(400, State, {connection_error, protocol_error,
+				'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'});
+		C when SoFar =:= <<>> andalso
+				((C =:= $/) orelse (C =:= $\s) orelse (C =:= $?) orelse (C =:= $#)) ->
+			error_terminate(400, State, {connection_error, protocol_error,
+				'Absolute URIs must include an authority component. (RFC7230 2.7.1)'});
 		$/ -> parse_uri_path(Rest, State, Method, <<"/">>);
 		$\s -> parse_version(Rest, State, Method, <<"/">>, <<>>);
 		$? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>);
 		$# -> skip_uri_fragment(Rest, State, Method, <<"/">>, <<>>);
-		_ -> parse_uri_skip_host(Rest, State, Method)
+		C -> parse_uri_skip_host(Rest, State, Method, <<SoFar/binary, C>>)
 	end.
 
 parse_uri_path(<< C, Rest/bits >>, State, Method, SoFar) ->
-- 
cgit v1.2.3