Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Adapting the HTTP request line parsing to only accept methods

Browse source 
consisting of letters [A-Za-z].

I had some bogus HTTP sessions now with the test-suite that reported
data as HTTP because it started with "<!... ". Requiring letters seems
a reasonable constraint.
This commit is contained in:
Robin Sommer 2012-12-05 16:44:04 -08:00
parent c8d264f105
commit 57510464a1
6 changed files with 77 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/HTTP.cc
View file

@ -1119,21 +1119,29 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
{
const char* request_method_str = 0;
const char* end_of_request = 0;
const char* rest = 0;
int request_method_len = 0;
get_word(end_of_line - line, line, request_method_len, request_method_str);
const char* end_of_request = request_method_str + request_method_len;
const char* rest = skip_whitespace(end_of_request, end_of_line);
if ( request_method_len == 0 )
goto error;
if ( request_method_len == 0 || rest == end_of_request )
end_of_request = request_method_str + request_method_len;
for ( const char* p = request_method_str; p < end_of_request; p++ )
{
// End of line already reached. Most likely a DPD failure -
// this is pretty noisy for me, so leaving commented for now
reporter->Weird(Conn(), "bad_HTTP_request");
return 0;
// The method must consist of only letters.
if ( (*p < 'a' || *p > 'z') && (*p < 'A' || *p > 'Z') )
goto error;
}
rest = skip_whitespace(end_of_request, end_of_line);
if ( rest == end_of_request )
// End of line already reached. Most likely a DPD failure.
goto error;
request_method = new StringVal(request_method_len, request_method_str);
if ( ! ParseRequest(rest, end_of_line) )
@ -1144,6 +1152,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
unescaped_URI->AsString()->Len(), true, true, true, true);
return 1;
error:
reporter->Weird(Conn(), "bad_HTTP_request");
return 0;
}
int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)