Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http: disallow > 3-digit response codes #7641

Closed
wants to merge 4 commits into from
Closed

http: disallow > 3-digit response codes #7641

wants to merge 4 commits into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Aug 26, 2021

Make the built-in HTTP parser behave similar to hyper and reject any
HTTP response using more than 3 digits for the response code.

Updated test 1432 accordingly.
Enabled test 1432 in the hyper builds.

@bagder bagder changed the title http: disallow 4-digit response codes http: disallow > 3-digit response codes Aug 26, 2021
danielgustafsson
danielgustafsson reviewed Aug 26, 2021
View reviewed changes
lib/http.c Outdated
if(baddigit != -1) {
failf(data, "Unsupported response code in HTTP response");
return CURLE_UNSUPPORTED_PROTOCOL;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this also inspect nc to just to be on the safe side?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, maybe that's better for readability but surely baddigit cannot be assigned anything if the other fields didn't already get stored?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah no, the check below will be skipped ... updating!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went with an explanatory comment instead. What do you think @danielgustafsson ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bagder
http: disallow >3-digit response codes
5a82f54 
Make the built-in HTTP parser behave similar to hyper and reject any
HTTP response using more than 3 digits for the response code.

Updated test 1432 accordingly.
Enabled test 1432 in the hyper builds.

Closes #7641
@bagder bagder force-pushed the bagder/http-4digit-response branch from eefd539 to 5a82f54 Compare August 26, 2021 14:29
@bagder bagder closed this in 5dc594e Aug 26, 2021
@bagder bagder deleted the bagder/http-4digit-response branch August 26, 2021 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielgustafsson danielgustafsson danielgustafsson left review comments

Assignees
No one assigned
Labels
HTTP Hyper tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bagder @danielgustafsson