Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Remove the unescaped_special_char HTTP weird.

Browse source 
This weird points out a lot of benign stuff and it would
be easily reimplemented in a Bro script.  This commit
also makes the minor change to update the reserved and
unreserved characters from a newer from of the URI RFC.
This commit is contained in:
Seth Hall 2016-05-25 08:33:30 -04:00
parent 53c523fa6f
commit 3151a95381
1 changed files with 3 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

28
src/analyzer/protocol/http/HTTP.cc
View file

@ -1813,12 +1813,12 @@ void HTTP_Analyzer::SkipEntityData(int is_orig)
}
int analyzer::http::is_reserved_URI_char(unsigned char ch)
{ // see RFC 2396 (definition of URI)
return strchr(";/?:@&=+$,", ch) != 0;
{ // see RFC 3986 (definition of URI)
return strchr(":/?#[]@!$&'()*+,;=", ch) != 0;
}
int analyzer::http::is_unreserved_URI_char(unsigned char ch)
{ // see RFC 2396 (definition of URI)
{ // see RFC 3986 (definition of URI)
return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0;
}
@ -1835,19 +1835,6 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
byte_vec decoded_URI = new u_char[line_end - line + 1];
byte_vec URI_p = decoded_URI;
// An 'unescaped_special_char' here means a character that *should*
// be escaped, but isn't in the URI. A control characters that
// appears directly in the URI would be an example. The RFC implies
// that if we do not unescape the URI that we see in the trace, every
// character should be a printable one -- either reserved or unreserved
// (or '%').
//
// Counting the number of unescaped characters and generating a weird
// event on URI's with unescaped characters (which are rare) will
// let us locate strange-looking URI's in the trace -- those URI's
// are often interesting.
int unescaped_special_char = 0;
while ( line < line_end )
{
if ( *line == '%' )
@ -1892,12 +1879,6 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
else
{
if ( ! is_reserved_URI_char(*line) &&
! is_unreserved_URI_char(*line) )
// Count these up as a way to compress
// the corresponding Weird event to a
// single instance.
++unescaped_special_char;
*URI_p++ = *line;
}
@ -1906,8 +1887,5 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
URI_p[0] = 0;
if ( unescaped_special_char && analyzer )
analyzer->Weird("unescaped_special_URI_char");
return new BroString(1, decoded_URI, URI_p - decoded_URI);
}