From d50bab8e7849d01da4a59c17ea8dbc59d6d9a08d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= Date: Wed, 29 Nov 2017 18:10:11 +0100 Subject: Reject absolute URIs with userinfo components in HTTP/1.1 --- src/cowboy_http.erl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl index d3d123e..0f0537b 100644 --- a/src/cowboy_http.erl +++ b/src/cowboy_http.erl @@ -394,6 +394,8 @@ parse_uri_skip_host(<< C, Rest/bits >>, State, Method) -> case C of $\r -> error_terminate(400, State, {connection_error, protocol_error, 'The request-target must not be followed by a line break. (RFC7230 3.1.1)'}); + $@ -> error_terminate(400, State, {connection_error, protocol_error, + 'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'}); $/ -> parse_uri_path(Rest, State, Method, <<"/">>); $\s -> parse_version(Rest, State, Method, <<"/">>, <<>>); $? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>); -- cgit v1.2.3