diff options
author | Edward Thomson <ethomson@edwardthomson.com> | 2018-11-18 11:00:11 +0000 |
---|---|---|
committer | Edward Thomson <ethomson@edwardthomson.com> | 2018-11-28 15:46:57 +0000 |
commit | 0467606ff4dbf57401c8b58188652df821ec865b (patch) | |
tree | c85aac4c3da450499b1c8ad645d0a84fbbf5deb4 | |
parent | 3a2e48366135decbe4f265c72f0ace612f349412 (diff) | |
download | libgit2-0467606ff4dbf57401c8b58188652df821ec865b.tar.gz |
http: disallow repeated headers from servers
Don't allow servers to send us multiple Content-Type, Content-Length
or Location headers.
-rw-r--r-- | src/transports/http.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/src/transports/http.c b/src/transports/http.c index 925772246..ce2e30964 100644 --- a/src/transports/http.c +++ b/src/transports/http.c @@ -306,16 +306,22 @@ static int on_header_ready(http_subtransport *t) git_buf *value = &t->parse_header_value; if (!strcasecmp("Content-Type", git_buf_cstr(name))) { - if (!t->content_type) { - t->content_type = git__strdup(git_buf_cstr(value)); - GITERR_CHECK_ALLOC(t->content_type); + if (t->content_type) { + giterr_set(GITERR_NET, "multiple Content-Type headers"); + return -1; } + + t->content_type = git__strdup(git_buf_cstr(value)); + GITERR_CHECK_ALLOC(t->content_type); } else if (!strcasecmp("Content-Length", git_buf_cstr(name))) { - if (!t->content_length) { - t->content_length = git__strdup(git_buf_cstr(value)); - GITERR_CHECK_ALLOC(t->content_length); + if (t->content_length) { + giterr_set(GITERR_NET, "multiple Content-Length headers"); + return -1; } + + t->content_length = git__strdup(git_buf_cstr(value)); + GITERR_CHECK_ALLOC(t->content_length); } else if (!strcasecmp("Proxy-Authenticate", git_buf_cstr(name))) { char *dup = git__strdup(git_buf_cstr(value)); @@ -332,10 +338,13 @@ static int on_header_ready(http_subtransport *t) return -1; } else if (!strcasecmp("Location", git_buf_cstr(name))) { - if (!t->location) { - t->location = git__strdup(git_buf_cstr(value)); - GITERR_CHECK_ALLOC(t->location); + if (t->location) { + giterr_set(GITERR_NET, "multiple Location headers"); + return -1; } + + t->location = git__strdup(git_buf_cstr(value)); + GITERR_CHECK_ALLOC(t->location); } return 0; |