From 2a01c7083704da6e46251a0808143c76b7e85acc Mon Sep 17 00:00:00 2001 From: jbencteux Date: Fri, 13 Apr 2018 14:10:26 +0200 Subject: [PATCH] fix Content-Encoding: x-gzip RFC 7230 section 4.2.3 states that: "A recipient SHOULD consider 'x-gzip' to be equivalent to 'gzip'" This could lead to evasions as an attacker could use: Content-Encoding: x-gzip To bypass Bro's decompression. --- src/analyzer/protocol/http/HTTP.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 65a511b8cb..c23d21617b 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -451,7 +451,8 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( mime::strcasecmp_n(vt, "gzip") == 0 ) + if ( mime::strcasecmp_n(vt, "gzip") == 0 || + mime::strcasecmp_n(vt, "x-gzip") == 0 ) encoding = GZIP; if ( mime::strcasecmp_n(vt, "deflate") == 0 ) encoding = DEFLATE;