mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
0003495a9b
Mostly, treat HTTP0.9 completely separate. Because we're doing raw delivery of a body directly, fake enough (connection_close=1, and finish headers manually) so that the MIME infrastructure thinks it is seeing a body. This deals better with the body due to accounting for the first line. Also it avoids the content line analyzer to strip CRLF/LF and the analyzer then adding CRLF unconditionally by fully bypassing the content line analyzer. Concretely, the vlan-mpls test case contains a HTTP response with LF only, but the previous implementation would use CRLF, accounting for two many bytes. Same for the http.no-version test which would previously report a body length of 280 and now is at 323 (which agrees with wireshark). Further, the mime_type detection for the http-09 test case works because it's now seeing the full body. Drawback: We don't extract headers when a server actually replies with a HTTP/1.1 message, but grrr, something needs to give I guess. |
||
|---|---|---|
| .. | ||
| http.log | ||