[core] stricter validation of request-URI begin

check that request-URI begins with '/', "http://", "https://", or is OPTIONS * request, or else reject with 400 Bad Request unless server.http-parseopt-header-strict = "disable" (default is enabled) x-ref: https://redmine.lighttpd.net/boards/3/topics/7637
author: Glenn Strauss <gstrauss@gluelogic.com> 2017-10-21 21:44:34 -0400
committer: Glenn Strauss <gstrauss@gluelogic.com> 2017-10-21 21:44:34 -0400
commit: 60b5826849710f8f7bd8dbb8a31f94aef9ae6254 (patch)
tree: 78942beadc0eabd24172fee9470fb50c60ff8150
parent: 6be68f569fdb57d5d1ebeaa1fca41736f757abf3 (diff)
download: lighttpd-git-60b5826849710f8f7bd8dbb8a31f94aef9ae6254.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/src/request.c b/src/request.c
index 950c91ee..fbfed15a 100644
--- a/src/request.c
+++ b/src/request.c
@@ -635,9 +635,15 @@ int http_request_parse(server *srv, connection *con) {
 					reqline_hostlen = nuri - reqline_host;
 
 					buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
-				} else {
+				} else if (!http_header_strict
+					   || (HTTP_METHOD_OPTIONS == con->request.http_method && uri[0] == '*' && uri[1] == '\0')) {
 					/* everything looks good so far */
 					buffer_copy_string_len(con->request.uri, uri, proto - uri - 1);
+				} else {
+					con->http_status = 400;
+					con->keep_alive = 0;
+					log_error_write(srv, __FILE__, __LINE__, "ss", "request-URI parse error -> 400 for:", uri);
+					return 0;
 				}
 
 				/* check uri for invalid characters */
author	Glenn Strauss <gstrauss@gluelogic.com>	2017-10-21 21:44:34 -0400
committer	Glenn Strauss <gstrauss@gluelogic.com>	2017-10-21 21:44:34 -0400
commit	60b5826849710f8f7bd8dbb8a31f94aef9ae6254 (patch)
tree	78942beadc0eabd24172fee9470fb50c60ff8150
parent	6be68f569fdb57d5d1ebeaa1fca41736f757abf3 (diff)
download	lighttpd-git-60b5826849710f8f7bd8dbb8a31f94aef9ae6254.tar.gz