diff options
| author | Sebastian Benoit <benno@cvs.openbsd.org> | 2021-10-21 11:48:31 +0000 |
|---|---|---|
| committer | Sebastian Benoit <benno@cvs.openbsd.org> | 2021-10-21 11:48:31 +0000 |
| commit | eb8ae247128facb0cce8ef7450ae99fd0696e54b (patch) | |
| tree | d2af9ce7b2bf8ec231035261884394703c9367a2 /usr.sbin/httpd | |
| parent | 2a5a6273484ccba2d25a690aa253fb7624325530 (diff) | |
when a client sends header lines without a colon, respond with 400 Bad
Request instead of 500 Internal Server Error.
ok claudio@
Diffstat (limited to 'usr.sbin/httpd')
| -rw-r--r-- | usr.sbin/httpd/server_http.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c index 732add41283..6a74f3e45c5 100644 --- a/usr.sbin/httpd/server_http.c +++ b/usr.sbin/httpd/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.143 2021/01/05 19:56:11 tb Exp $ */ +/* $OpenBSD: server_http.c,v 1.144 2021/10/21 11:48:30 benno Exp $ */ /* * Copyright (c) 2020 Matthias Pressfreund <mpfr@fn.de> @@ -268,8 +268,14 @@ server_read_http(struct bufferevent *bev, void *arg) else if (*key == ' ' || *key == '\t') /* Multiline headers wrap with a space or tab */ value = NULL; - else + else { + /* Not a multiline header, should have a : */ value = strchr(key, ':'); + if (value == NULL) { + server_abort_http(clt, 400, "malformed"); + goto abort; + } + } if (value == NULL) { if (clt->clt_line == 1) { server_abort_http(clt, 400, "malformed"); |