From ade9aa219b69c7a313293751ff9350cfc10f4a89 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 27 Jul 2017 22:04:47 -0700
Subject: [PATCH] Better handling of % at end of line.

---
 src/analyzer/protocol/http/HTTP.cc              |  16 +++++++++++++---
 .../http.log                                    |  11 +++++++++++
 .../weird.log                                   |  11 +++++++++++
 .../btest/Traces/http/percent-end-of-line.pcap  | Bin 0 -> 3577 bytes
 .../base/protocols/http/percent-end-of-line.bro |   4 ++++
 5 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
 create mode 100644 testing/btest/Traces/http/percent-end-of-line.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/percent-end-of-line.bro

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index c1f4320c04..cae14586dd 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1843,19 +1843,29 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 
 			if ( line == line_end )
 				{
-				// How to deal with % at end of line?
-				// *URI_p++ = '%';
+				*URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("illegal_%_at_end_of_URI");
 				break;
 				}
 
+			else if ( line + 1 == line_end )
+				{
+				// % + one character at end of line. Log weird
+				// and just add to unescpaped URI.
+				*URI_p++ = '%';
+				*URI_p++ = *line;
+				if ( analyzer )
+					analyzer->Weird("partial_escape_at_end_of_URI");
+				break;
+				}
+
 			else if ( *line == '%' )
 				{
 				// Double '%' might be either due to
 				// software bug, or more likely, an
 				// evasion (e.g. used by Nimda).
-				// *URI_p++ = '%';
+				*URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("double_%_in_URI");
 				--line;	// ignore the first '%'
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
new file mode 100644
index 0000000000..8b2f960d80
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	1	GET	icir.org	/%	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fp16kg2g0K5oCDByh2	-	text/html
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	1	GET	icir.org	/%5	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FAjakt4YvddFQlySjk	-	text/html
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
new file mode 100644
index 0000000000..df24831d15
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	bro
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	bro
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Traces/http/percent-end-of-line.pcap b/testing/btest/Traces/http/percent-end-of-line.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4d3854241a1b7d900c13c91790a929cf22889bda
GIT binary patch
literal 3577
zcmeH|e{2(F7{}k1GPctug8%{od5a)FTzhS4q3cTB*bi2+L4{7)9}te~yY|>|*WF#m
z7%|R3ObkB~FySx%&=?}bM2*3JR3<Xe5P?WSO#DIk&yZCJ28<-~!{@oK-FmGv82>S$
z>D%<)_wMsP@AG```Cc9Q<Xt;)knxX$*x=&5bA#Q>J|biT{Ks+Cap|7x;(+g~uU|Y{
zO<D<Q98nrcV^#R~Gbc#RnPZ<neSMU~qqp8Xjiit5j~*?3g%G=A>M7flDN}8>YHpSN
zZW`Ad_B=iD2O;a>8b_X+-vj8BL|_Brt8%s@8FwJ@>!b4>O>1C>;df^A(c7Qp=?;4}
zH+SCl8AyknreWM~19>e_ag@a!xbP>&9WX3$4+A|qR9ic1Xo!%pcn6V;#KrdrIRt6J
zVI|sLo30`;_i07qoZ4C0no{Dr)&%93(Dp<k&igz*C)cj(Mwm*Xq<K^=<>b0_rn#F^
zOo7=>bx@LJfe(7TbXlh$N{XTC=>{583?@^Upc^;SE!5}r`1}o2>kkJ59`ACxj)}c0
z@Avw=@b%F)Nn<_g0FR4Ku1OSG2G|B0F!;2wORf_#8CenqLsAuf0B2qpu+Hw18~WCG
zJ@s`f_!Z{APyyub5R_C_NU<<wio0ub9aGF3g2fwJ6;Vw}N-9iKgHooBCRvXx7|hAF
zY)FJDWT0796ei;KVcN@B#x2NFKdg6UQksxt?wF!8F{?56Cf1i_x}lp-IXNuOQ%$yF
zxyytUa6OAc`ZZt?QZ#z&K+RAs$sO*<7Y9nc1Vl85#F@=DvKVBF!%DQzcFjlP=t~ue
zb4c#|7e(UpNG#Nu2E1OnR!GvZGr;K~2VvT#Np;j8qU*CVg@Uc7-at55ANH-H>pBxo
zZZp&RnHHu^89_`l-tP%`{Hy7*HkMR1VY!()1C-+KU`onJhv`Z$RCr=OMOoD$l`v)A
zm)MhmO^c;(pki9kbY`rPbk!XS1?$~V4<{FKwQOuobjMpkr=1-%-nF(P)=U?<c|O*f
zXyf^oL`#0f@A2|{>xM;9E`q{|M$$}3!i6CjGK*Ty9O3iRT!c4oi|kO7d+<qLbV6oe
z(Fc>6Xt$cx=nhTY4KD=M;gnRMT3!LvNDBu1NIEQFhN!4!<s?;9gJzW^({w{nlAg#8
zjq<?aGq{TeKSDC8F<p;V&L_>Mn*zJ=KGL|V88qaL@P$VKXT}Y2;)zWaJ_DL5G##sE
zNWitgRH46AGtJag;dGKa2(1yD4ye%7461PB1fsR+kic6V*mQcID{VRlYUVqdDYUVw
zSD}TDwXuUpMPhtX;?fgH{QjE?M3+fyC@1c1A3t?@j59YOadbgN;&h0yzDPV&i1EV%
z<HQPiTxjOeXUU@r^2p)ad=N@7md6mhdxwt0sefBkHHnSwV;JM$!(xm%62Exky9MAK
zrj5leS#9jWF<e6%L;BqQs>idj+_pRK?}Hr{qK$1oH_^tV*ed&jV`yVY7J*z)RC#WX
z+{L)%y_UEa0)0Q)*zGq8xqa}#+<8(AiL-WBk;7nNIIKk5(4{R%<iD**1RHyKOrsE^
zNzB_=@QIK82R???Nqsq9?{ei|{sEOA?Vq50RMP&7H?HhN<v)xUlrL??3L()xGAZ##
zlbC%R;xr)sy)$0^35k)T6^Y=CE6<k3_-~yt^u!teC(ei}<R(|)&!!6XQq7#~F?9{j
zcz;)^W{~*$1fsQ%k-(Ot*vF1vEA3-fc5b_KvIl+aW>c{<o`%l2^`D8S9wIT;SAm!^
ziH+sN-1+f$uRO*Jvym9=u1ExDycsPLhYK<OQai2a2Nn9mH8YQzC66h{V=wlH`z^&h
JYS15s{{rb@ds6@a

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
new file mode 100644
index 0000000000..a41dbab294
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+