diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2019-09-28 19:21:56 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-01-26 00:40:20 -0500 |
commit | 61f85d14ee4444755e0771495b97af11162448dd (patch) | |
tree | 7357d06ec949c7aae2e4bc87d681cedbf0d25bd5 /tests/request.t | |
parent | 851728c6a13ed38a2c333daf62f8d6e649e11004 (diff) | |
download | lighttpd-git-61f85d14ee4444755e0771495b97af11162448dd.tar.gz |
[core] reject WS following header field-name (fixes #2985)
reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.
strict header parsing is enabled by default in lighttpd. However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
This is NOT RECOMMENDED since doing so disables other protections
provided by lighttpd strict http header parsing.
(thx fedormixalich)
x-ref:
stricter request header parsing
https://redmine.lighttpd.net/issues/2985
Diffstat (limited to 'tests/request.t')
-rwxr-xr-x | tests/request.t | 12 |
1 files changed, 1 insertions, 11 deletions
diff --git a/tests/request.t b/tests/request.t index 96ef077b..aa1cace0 100755 --- a/tests/request.t +++ b/tests/request.t @@ -8,7 +8,7 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 52; +use Test::More tests => 51; use LightyTest; my $tf = LightyTest->new(); @@ -503,16 +503,6 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ]; ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo'); -print "\nConnection header\n"; -$t->{REQUEST} = ( <<EOF -GET /12345.txt HTTP/1.1 -Connection : close -Host: 123.example.org -EOF - ); -$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.1', 'HTTP-Status' => 200, 'HTTP-Content' => '12345'."\n", 'Content-Type' => 'text/plain', 'Connection' => 'close' } ]; -ok($tf->handle_http($t) == 0, 'Connection-header, spaces before ":"'); - $t->{REQUEST} = ( <<EOF GET /12345.txt HTTP/1.1 Connection: ,close |