diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index c1f4320c04..cae14586dd 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1843,19 +1843,29 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e if ( line == line_end ) { - // How to deal with % at end of line? - // *URI_p++ = '%'; + *URI_p++ = '%'; if ( analyzer ) analyzer->Weird("illegal_%_at_end_of_URI"); break; } + else if ( line + 1 == line_end ) + { + // % + one character at end of line. Log weird + // and just add to unescpaped URI. + *URI_p++ = '%'; + *URI_p++ = *line; + if ( analyzer ) + analyzer->Weird("partial_escape_at_end_of_URI"); + break; + } + else if ( *line == '%' ) { // Double '%' might be either due to // software bug, or more likely, an // evasion (e.g. used by Nimda). - // *URI_p++ = '%'; + *URI_p++ = '%'; if ( analyzer ) analyzer->Weird("double_%_in_URI"); --line; // ignore the first '%' diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log new file mode 100644 index 0000000000..8b2f960d80 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2017-07-28-05-03-01 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 1 GET icir.org /% - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - Fp16kg2g0K5oCDByh2 - text/html +1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 1 GET icir.org /%5 - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - FAjakt4YvddFQlySjk - text/html +#close 2017-07-28-05-03-01 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log new file mode 100644 index 0000000000..df24831d15 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-07-28-05-03-01 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F bro +1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F bro +#close 2017-07-28-05-03-01 diff --git a/testing/btest/Traces/http/percent-end-of-line.pcap b/testing/btest/Traces/http/percent-end-of-line.pcap new file mode 100644 index 0000000000..4d3854241a Binary files /dev/null and b/testing/btest/Traces/http/percent-end-of-line.pcap differ diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro new file mode 100644 index 0000000000..a41dbab294 --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff weird.log +