http: return error on colon-less HTTP headers

It's a protocol violation and accepting them leads to no good. Add test case 398 to verify Closes #8610
2022-03-18 22:54:59 +01:00 · 2022-03-18 22:54:59 +01:00 · dcdf2e8a36
commit dcdf2e8a36
parent 33fe8251cb
3 changed files with 91 additions and 7 deletions
--- a/lib/http.c
+++ b/lib/http.c
@ -3775,6 +3775,29 @@ CURLcode Curl_http_size(struct Curl_easy *data)
  return CURLE_OK;
 }

+static CURLcode verify_header(struct Curl_easy *data)
+{
+  struct SingleRequest *k = &data->req;
+  const char *header = Curl_dyn_ptr(&data->state.headerb);
+  size_t hlen = Curl_dyn_len(&data->state.headerb);
+  char *ptr = memchr(header, 0x00, hlen);
+  if(ptr) {
+    /* this is bad, bail out */
+    failf(data, "Nul byte in header");
+    return CURLE_WEIRD_SERVER_REPLY;
+  }
+  if(k->headerline < 2)
+    /* the first "header" is the status-line and it has no colon */
+    return CURLE_OK;
+  ptr = memchr(header, ':', hlen);
+  if(!ptr) {
+    /* this is bad, bail out */
+    failf(data, "Header without semicolon");
+    return CURLE_WEIRD_SERVER_REPLY;
+  }
+  return CURLE_OK;
+}
+
 /*
 * Read any HTTP header lines from the server and pass them to the client app.
 */
@ -4283,12 +4306,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
      }
    }

-    end_ptr = memchr(headp, 0x00, Curl_dyn_len(&data->state.headerb));
-    if(end_ptr) {
-      /* this is bad, bail out */
-      failf(data, "Nul byte in header");
-      return CURLE_WEIRD_SERVER_REPLY;
-    }
+    result = verify_header(data);
+    if(result)
+      return result;

    result = Curl_http_header(data, conn, headp);
    if(result)
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -65,7 +65,7 @@ test370 test371 test372 test373 test374 test375 test376 \
 \
 test380 test381 test383 test384 test385 test386 \
 \
-test392 test393 test394 test395 test396 test397 \
+test392 test393 test394 test395 test396 test397 test398 \
 \
 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
 test409 test410 \
--- a/tests/data/test398
+++ b/tests/data/test398
@ -0,0 +1,64 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+hello
+</data>
+<datacheck>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Reject HTTP/1.1 response with colon-less header
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+%if hyper
+1
+%else
+8
+%endif
+</errorcode>
+</verify>
+</testcase>