search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix errors detected by Coverity Scan
[lighttpd.git] / src / request.c
blob50898602b9cddccf84cc6d4c3ab0a5e364563e30
1 #include "first.h"
2
3 #include "request.h"
4 #include "keyvalue.h"
5 #include "log.h"
6
7 #include <sys/stat.h>
8
9 #include <limits.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <stdio.h>
13 #include <ctype.h>
14
15 static int request_check_hostname(buffer *host) {
16 enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL;
17 size_t i;
18 int label_len = 0;
19 size_t host_len, hostport_len;
20 char *colon;
21 int is_ip = -1; /* -1 don't know yet, 0 no, 1 yes */
22 int level = 0;
23
24 /*
25 * hostport = host [ ":" port ]
26 * host = hostname | IPv4address | IPv6address
27 * hostname = *( domainlabel "." ) toplabel [ "." ]
28 * domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
29 * toplabel = alpha | alpha *( alphanum | "-" ) alphanum
30 * IPv4address = 1*digit "." 1*digit "." 1*digit "." 1*digit
31 * IPv6address = "[" ... "]"
32 * port = *digit
33 */
34
35 /* IPv6 adress */
36 if (host->ptr[0] == '[') {
37 char *c = host->ptr + 1;
38 int colon_cnt = 0;
39
40 /* check the address inside [...] */
41 for (; *c && *c != ']'; c++) {
42 if (*c == ':') {
43 if (++colon_cnt > 7) {
44 return -1;
45 }
46 } else if (!light_isxdigit(*c) && '.' != *c) {
47 return -1;
48 }
49 }
50
51 /* missing ] */
52 if (!*c) {
53 return -1;
54 }
55
56 /* check port */
57 if (*(c+1) == ':') {
58 for (c += 2; *c; c++) {
59 if (!light_isdigit(*c)) {
60 return -1;
61 }
62 }
63 }
64 else if ('\0' != *(c+1)) {
65 /* only a port is allowed to follow [...] */
66 return -1;
67 }
68 return 0;
69 }
70
71 hostport_len = host_len = buffer_string_length(host);
72
73 if (NULL != (colon = memchr(host->ptr, ':', host_len))) {
74 char *c = colon + 1;
75
76 /* check portnumber */
77 for (; *c; c++) {
78 if (!light_isdigit(*c)) return -1;
79 }
80
81 /* remove the port from the host-len */
82 host_len = colon - host->ptr;
83 }
84
85 /* Host is empty */
86 if (host_len == 0) return -1;
87
88 /* if the hostname ends in a "." strip it */
89 if (host->ptr[host_len-1] == '.') {
90 /* shift port info one left */
91 if (NULL != colon) memmove(colon-1, colon, hostport_len - host_len);
92 buffer_string_set_length(host, --hostport_len);
93 if (--host_len == 0) return -1;
94 }
95
96
97 /* scan from the right and skip the \0 */
98 for (i = host_len; i-- > 0; ) {
99 const char c = host->ptr[i];
100
101 switch (stage) {
102 case TOPLABEL:
103 if (c == '.') {
104 /* only switch stage, if this is not the last character */
105 if (i != host_len - 1) {
106 if (label_len == 0) {
107 return -1;
108 }
109
110 /* check the first character at right of the dot */
111 if (is_ip == 0) {
112 if (!light_isalnum(host->ptr[i+1])) {
113 return -1;
114 }
115 } else if (!light_isdigit(host->ptr[i+1])) {
116 is_ip = 0;
117 } else if ('-' == host->ptr[i+1]) {
118 return -1;
119 } else {
120 /* just digits */
121 is_ip = 1;
122 }
123
124 stage = DOMAINLABEL;
125
126 label_len = 0;
127 level++;
128 } else if (i == 0) {
129 /* just a dot and nothing else is evil */
130 return -1;
131 }
132 } else if (i == 0) {
133 /* the first character of the hostname */
134 if (!light_isalnum(c)) {
135 return -1;
136 }
137 label_len++;
138 } else {
139 if (c != '-' && !light_isalnum(c)) {
140 return -1;
141 }
142 if (is_ip == -1) {
143 if (!light_isdigit(c)) is_ip = 0;
144 }
145 label_len++;
146 }
147
148 break;
149 case DOMAINLABEL:
150 if (is_ip == 1) {
151 if (c == '.') {
152 if (label_len == 0) {
153 return -1;
154 }
155
156 label_len = 0;
157 level++;
158 } else if (!light_isdigit(c)) {
159 return -1;
160 } else {
161 label_len++;
162 }
163 } else {
164 if (c == '.') {
165 if (label_len == 0) {
166 return -1;
167 }
168
169 /* c is either - or alphanum here */
170 if ('-' == host->ptr[i+1]) {
171 return -1;
172 }
173
174 label_len = 0;
175 level++;
176 } else if (i == 0) {
177 if (!light_isalnum(c)) {
178 return -1;
179 }
180 label_len++;
181 } else {
182 if (c != '-' && !light_isalnum(c)) {
183 return -1;
184 }
185 label_len++;
186 }
187 }
188
189 break;
190 }
191 }
192
193 /* a IP has to consist of 4 parts */
194 if (is_ip == 1 && level != 3) {
195 return -1;
196 }
197
198 if (label_len == 0) {
199 return -1;
200 }
201
202 return 0;
203 }
204
205 int http_request_host_normalize(buffer *b) {
206 /*
207 * check for and canonicalize numeric IP address and portnum (optional)
208 * (IP address may be followed by ":portnum" (optional))
209 * - IPv6: "[...]"
210 * - IPv4: "x.x.x.x"
211 * - IPv4: 12345678 (32-bit decimal number)
212 * - IPv4: 012345678 (32-bit octal number)
213 * - IPv4: 0x12345678 (32-bit hex number)
214 *
215 * allow any chars (except ':' and '\0' and stray '[' or ']')
216 * (other code may check chars more strictly or more pedantically)
217 * ':' delimits (optional) port at end of string
218 * "[]" wraps IPv6 address literal
219 * '\0' should have been rejected earlier were it present
220 *
221 * any chars includes, but is not limited to:
222 * - allow '-' any where, even at beginning of word
223 * (security caution: might be confused for cmd flag if passed to shell)
224 * - allow all-digit TLDs
225 * (might be mistaken for IPv4 addr by inet_aton()
226 * unless non-digits appear in subdomain)
227 */
228
229 /* Note: not using getaddrinfo() since it does not support "[]" around IPv6
230 * and is not as lenient as inet_aton() and inet_addr() for IPv4 strings.
231 * Not using inet_pton() (when available) on IPv4 for similar reasons. */
232
233 const char * const p = b->ptr;
234 const size_t blen = buffer_string_length(b);
235 long port = 0;
236
237 if (*p != '[') {
238 char * const colon = (char *)memchr(p, ':', blen);
239 if (colon) {
240 if (*p == ':') return -1; /*(empty host then port, or naked IPv6)*/
241 if (colon[1] != '\0') {
242 char *e;
243 port = strtol(colon+1, &e, 0); /*(allow decimal, octal, hex)*/
244 if (0 < port && port <= USHRT_MAX && *e == '\0') {
245 /* valid port */
246 } else {
247 return -1;
248 }
249 } /*(else ignore stray colon at string end)*/
250 buffer_string_set_length(b, (size_t)(colon - p)); /*(remove port str)*/
251 }
252
253 if (light_isdigit(*p)) {
254 /* (IPv4 address literal or domain starting w/ digit (e.g. 3com))*/
255 struct in_addr addr;
256 #if defined(HAVE_INET_ATON) /*(Windows does not provide inet_aton())*/
257 if (0 != inet_aton(p, &addr))
258 #else
259 if ((addr.s_addr = inet_addr(p)) != INADDR_NONE)
260 #endif
261 {
262 #if defined(HAVE_INET_PTON)/*(expect inet_ntop() if inet_pton())*/
263 #ifndef INET_ADDRSTRLEN
264 #define INET_ADDRSTRLEN 16
265 #endif
266 char buf[INET_ADDRSTRLEN];
267 inet_ntop(AF_INET, (const void *)&addr, buf, sizeof(buf));
268 buffer_copy_string(b, buf);
269 #else
270 buffer_copy_string(b, inet_ntoa(addr)); /*(not thread-safe)*/
271 #endif
272 }
273 }
274 } else { /* IPv6 addr */
275 #if defined(HAVE_IPV6) && defined(HAVE_INET_PTON)
276
277 struct in6_addr addr;
278 char *bracket = b->ptr+blen-1;
279 int rc;
280 char buf[INET6_ADDRSTRLEN];
281 if (blen <= 2) return -1; /*(invalid "[]")*/
282 if (*bracket != ']') {
283 bracket = (char *)memchr(b->ptr+1, ']', blen-1);
284 if (NULL == bracket || bracket[1] != ':' || bracket - b->ptr == 1){
285 return -1;
286 }
287 if (bracket[2] != '\0') { /*(ignore stray colon at string end)*/
288 char *e;
289 port = strtol(bracket+2, &e, 0); /*(allow decimal, octal, hex)*/
290 if (0 < port && port <= USHRT_MAX && *e == '\0') {
291 /* valid port */
292 } else {
293 return -1;
294 }
295 }
296 }
297
298 *bracket = '\0';/*(terminate IPv6 string)*/
299 rc = inet_pton(AF_INET6, b->ptr+1, &addr);
300 *bracket = ']'; /*(restore bracket)*/
301 if (1 != rc) return -1;
302
303 inet_ntop(AF_INET6,(const void *)&addr, buf, sizeof(buf));
304 buffer_string_set_length(b, 1); /* truncate after '[' */
305 buffer_append_string(b, buf);
306 buffer_append_string_len(b, CONST_STR_LEN("]"));
307
308 #else
309
310 return -1;
311
312 #endif
313 }
314
315 if (port) {
316 buffer_append_string_len(b, CONST_STR_LEN(":"));
317 buffer_append_int(b, (int)port);
318 }
319
320 return 0;
321 }
322
323 #if 0
324 #define DUMP_HEADER
325 #endif
326
327 static int http_request_split_value(array *vals, buffer *b) {
328 size_t i, len;
329 int state = 0;
330
331 const char *current;
332 const char *token_start = NULL, *token_end = NULL;
333 /*
334 * parse
335 *
336 * val1, val2, val3, val4
337 *
338 * into a array (more or less a explode() incl. striping of whitespaces
339 */
340
341 if (buffer_string_is_empty(b)) return 0;
342
343 current = b->ptr;
344 len = buffer_string_length(b);
345 for (i = 0; i <= len; ++i, ++current) {
346 data_string *ds;
347
348 switch (state) {
349 case 0: /* find start of a token */
350 switch (*current) {
351 case ' ':
352 case '\t': /* skip white space */
353 case ',': /* skip empty token */
354 break;
355 case '\0': /* end of string */
356 return 0;
357 default:
358 /* found real data, switch to state 1 to find the end of the token */
359 token_start = token_end = current;
360 state = 1;
361 break;
362 }
363 break;
364 case 1: /* find end of token and last non white space character */
365 switch (*current) {
366 case ' ':
367 case '\t':
368 /* space - don't update token_end */
369 break;
370 case ',':
371 case '\0': /* end of string also marks the end of a token */
372 if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
373 ds = data_string_init();
374 }
375
376 buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
377 array_insert_unique(vals, (data_unset *)ds);
378
379 state = 0;
380 break;
381 default:
382 /* no white space, update token_end to include current character */
383 token_end = current;
384 break;
385 }
386 break;
387 }
388 }
389
390 return 0;
391 }
392
393 static int request_uri_is_valid_char(unsigned char c) {
394 if (c <= 32) return 0;
395 if (c == 127) return 0;
396 if (c == 255) return 0;
397
398 return 1;
399 }
400
401 int http_request_parse(server *srv, connection *con) {
402 char *uri = NULL, *proto = NULL, *method = NULL, con_length_set;
403 int is_key = 1, key_len = 0, is_ws_after_key = 0, in_folding;
404 char *value = NULL, *key = NULL;
405 char *reqline_host = NULL;
406 int reqline_hostlen = 0;
407
408 enum { HTTP_CONNECTION_UNSET, HTTP_CONNECTION_KEEPALIVE, HTTP_CONNECTION_CLOSE } keep_alive_set = HTTP_CONNECTION_UNSET;
409
410 int line = 0;
411
412 int request_line_stage = 0;
413 size_t i, first, ilen;
414
415 int done = 0;
416 const unsigned int http_header_strict = (con->conf.http_parseopts & HTTP_PARSEOPT_HEADER_STRICT);
417
418 /*
419 * Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$"
420 * Option : "^([-a-zA-Z]+): (.+)$"
421 * End : "^$"
422 */
423
424 if (con->conf.log_request_header) {
425 log_error_write(srv, __FILE__, __LINE__, "sdsdSb",
426 "fd:", con->fd,
427 "request-len:", buffer_string_length(con->request.request),
428 "\n", con->request.request);
429 }
430
431 if (con->request_count > 1 &&
432 con->request.request->ptr[0] == '\r' &&
433 con->request.request->ptr[1] == '\n') {
434 /* we are in keep-alive and might get \r\n after a previous POST request.*/
435
436 buffer_copy_string_len(con->parse_request, con->request.request->ptr + 2, buffer_string_length(con->request.request) - 2);
437 } else {
438 /* fill the local request buffer */
439 buffer_copy_buffer(con->parse_request, con->request.request);
440 }
441
442 keep_alive_set = 0;
443 con_length_set = 0;
444
445 /* parse the first line of the request
446 *
447 * should be:
448 *
449 * <method> <uri> <protocol>\r\n
450 * */
451 ilen = buffer_string_length(con->parse_request);
452 for (i = 0, first = 0; i < ilen && line == 0; i++) {
453 switch(con->parse_request->ptr[i]) {
454 case '\r':
455 if (con->parse_request->ptr[i+1] == '\n') {
456 http_method_t r;
457 char *nuri = NULL;
458 size_t j, jlen;
459
460 /* \r\n -> \0\0 */
461 con->parse_request->ptr[i] = '\0';
462 con->parse_request->ptr[i+1] = '\0';
463
464 buffer_copy_string_len(con->request.request_line, con->parse_request->ptr, i);
465
466 if (request_line_stage != 2) {
467 con->http_status = 400;
468 con->response.keep_alive = 0;
469 con->keep_alive = 0;
470
471 if (srv->srvconf.log_request_header_on_error) {
472 log_error_write(srv, __FILE__, __LINE__, "s", "incomplete request line -> 400");
473 log_error_write(srv, __FILE__, __LINE__, "Sb",
474 "request-header:\n",
475 con->request.request);
476 }
477 return 0;
478 }
479
480 proto = con->parse_request->ptr + first;
481
482 *(uri - 1) = '\0';
483 *(proto - 1) = '\0';
484
485 /* we got the first one :) */
486 if (HTTP_METHOD_UNSET == (r = get_http_method_key(method))) {
487 con->http_status = 501;
488 con->response.keep_alive = 0;
489 con->keep_alive = 0;
490
491 if (srv->srvconf.log_request_header_on_error) {
492 log_error_write(srv, __FILE__, __LINE__, "s", "unknown http-method -> 501");
493 log_error_write(srv, __FILE__, __LINE__, "Sb",
494 "request-header:\n",
495 con->request.request);
496 }
497
498 return 0;
499 }
500
501 con->request.http_method = r;
502
503 /*
504 * RFC2616 says:
505 *
506 * HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
507 *
508 * */
509 if (0 == strncmp(proto, "HTTP/", sizeof("HTTP/") - 1)) {
510 char * major = proto + sizeof("HTTP/") - 1;
511 char * minor = strchr(major, '.');
512 char *err = NULL;
513 int major_num = 0, minor_num = 0;
514
515 int invalid_version = 0;
516
517 if (NULL == minor || /* no dot */
518 minor == major || /* no major */
519 *(minor + 1) == '\0' /* no minor */) {
520 invalid_version = 1;
521 } else {
522 *minor = '\0';
523 major_num = strtol(major, &err, 10);
524
525 if (*err != '\0') invalid_version = 1;
526
527 *minor++ = '.';
528 minor_num = strtol(minor, &err, 10);
529
530 if (*err != '\0') invalid_version = 1;
531 }
532
533 if (invalid_version) {
534 con->http_status = 400;
535 con->keep_alive = 0;
536
537 if (srv->srvconf.log_request_header_on_error) {
538 log_error_write(srv, __FILE__, __LINE__, "s", "unknown protocol -> 400");
539 log_error_write(srv, __FILE__, __LINE__, "Sb",
540 "request-header:\n",
541 con->request.request);
542 }
543 return 0;
544 }
545
546 if (major_num == 1 && minor_num == 1) {
547 con->request.http_version = con->conf.allow_http11 ? HTTP_VERSION_1_1 : HTTP_VERSION_1_0;
548 } else if (major_num == 1 && minor_num == 0) {
549 con->request.http_version = HTTP_VERSION_1_0;
550 } else {
551 con->http_status = 505;
552
553 if (srv->srvconf.log_request_header_on_error) {
554 log_error_write(srv, __FILE__, __LINE__, "s", "unknown HTTP version -> 505");
555 log_error_write(srv, __FILE__, __LINE__, "Sb",
556 "request-header:\n",
557 con->request.request);
558 }
559 return 0;
560 }
561 } else {
562 con->http_status = 400;
563 con->keep_alive = 0;
564
565 if (srv->srvconf.log_request_header_on_error) {
566 log_error_write(srv, __FILE__, __LINE__, "s", "unknown protocol -> 400");
567 log_error_write(srv, __FILE__, __LINE__, "Sb",
568 "request-header:\n",
569 con->request.request);
570 }
571 return 0;
572 }
573
574 if (0 == strncmp(uri, "http://", 7) &&
575 NULL != (nuri = strchr(uri + 7, '/'))) {
576 reqline_host = uri + 7;
577 reqline_hostlen = nuri - reqline_host;
578
579 buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
580 } else if (0 == strncmp(uri, "https://", 8) &&
581 NULL != (nuri = strchr(uri + 8, '/'))) {
582 reqline_host = uri + 8;
583 reqline_hostlen = nuri - reqline_host;
584
585 buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
586 } else {
587 /* everything looks good so far */
588 buffer_copy_string_len(con->request.uri, uri, proto - uri - 1);
589 }
590
591 /* check uri for invalid characters */
592 jlen = buffer_string_length(con->request.uri);
593 if (http_header_strict) {
594 for (j = 0; j < jlen && request_uri_is_valid_char(con->request.uri->ptr[j]); j++) ;
595 } else {
596 char *z = memchr(con->request.uri->ptr, '\0', jlen);
597 j = (NULL == z) ? jlen : (size_t)(z - con->request.uri->ptr);
598 }
599 if (j < jlen) {
600 con->http_status = 400;
601 con->keep_alive = 0;
602
603 if (srv->srvconf.log_request_header_on_error) {
604 unsigned char buf[2];
605 buf[0] = con->request.uri->ptr[j];
606 buf[1] = '\0';
607
608 if (con->request.uri->ptr[j] > 32 &&
609 con->request.uri->ptr[j] != 127) {
610 /* the character is printable -> print it */
611 log_error_write(srv, __FILE__, __LINE__, "ss",
612 "invalid character in URI -> 400",
613 buf);
614 } else {
615 /* a control-character, print ascii-code */
616 log_error_write(srv, __FILE__, __LINE__, "sd",
617 "invalid character in URI -> 400",
618 con->request.uri->ptr[j]);
619 }
620
621 log_error_write(srv, __FILE__, __LINE__, "Sb",
622 "request-header:\n",
623 con->request.request);
624 }
625
626 return 0;
627 }
628
629 buffer_copy_buffer(con->request.orig_uri, con->request.uri);
630
631 con->http_status = 0;
632
633 i++;
634 line++;
635 first = i+1;
636 }
637 break;
638 case ' ':
639 switch(request_line_stage) {
640 case 0:
641 /* GET|POST|... */
642 method = con->parse_request->ptr + first;
643 first = i + 1;
644 break;
645 case 1:
646 /* /foobar/... */
647 uri = con->parse_request->ptr + first;
648 first = i + 1;
649 break;
650 default:
651 /* ERROR, one space to much */
652 con->http_status = 400;
653 con->response.keep_alive = 0;
654 con->keep_alive = 0;
655
656 if (srv->srvconf.log_request_header_on_error) {
657 log_error_write(srv, __FILE__, __LINE__, "s", "overlong request line -> 400");
658 log_error_write(srv, __FILE__, __LINE__, "Sb",
659 "request-header:\n",
660 con->request.request);
661 }
662 return 0;
663 }
664
665 request_line_stage++;
666 break;
667 }
668 }
669
670 in_folding = 0;
671
672 if (buffer_string_is_empty(con->request.uri)) {
673 con->http_status = 400;
674 con->response.keep_alive = 0;
675 con->keep_alive = 0;
676
677 if (srv->srvconf.log_request_header_on_error) {
678 log_error_write(srv, __FILE__, __LINE__, "s", "no uri specified -> 400");
679 log_error_write(srv, __FILE__, __LINE__, "Sb",
680 "request-header:\n",
681 con->request.request);
682 }
683 return 0;
684 }
685
686 if (reqline_host) {
687 /* Insert as host header */
688 data_string *ds;
689
690 if (NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {
691 ds = data_string_init();
692 }
693
694 buffer_copy_string_len(ds->key, CONST_STR_LEN("Host"));
695 buffer_copy_string_len(ds->value, reqline_host, reqline_hostlen);
696 array_insert_unique(con->request.headers, (data_unset *)ds);
697 con->request.http_host = ds->value;
698 }
699
700 for (; i <= ilen && !done; i++) {
701 char *cur = con->parse_request->ptr + i;
702
703 if (is_key) {
704 size_t j;
705 int got_colon = 0;
706
707 /**
708 * 1*<any CHAR except CTLs or separators>
709 * CTLs == 0-31 + 127, CHAR = 7-bit ascii (0..127)
710 *
711 */
712 switch(*cur) {
713 case ':':
714 is_key = 0;
715
716 value = cur + 1;
717
718 if (is_ws_after_key == 0) {
719 key_len = i - first;
720 }
721 is_ws_after_key = 0;
722
723 break;
724 case '(':
725 case ')':
726 case '<':
727 case '>':
728 case '@':
729 case ',':
730 case ';':
731 case '\\':
732 case '\"':
733 case '/':
734 case '[':
735 case ']':
736 case '?':
737 case '=':
738 case '{':
739 case '}':
740 con->http_status = 400;
741 con->keep_alive = 0;
742 con->response.keep_alive = 0;
743
744 if (srv->srvconf.log_request_header_on_error) {
745 log_error_write(srv, __FILE__, __LINE__, "sbsds",
746 "invalid character in key", con->request.request, cur, *cur, "-> 400");
747
748 log_error_write(srv, __FILE__, __LINE__, "Sb",
749 "request-header:\n",
750 con->request.request);
751 }
752 return 0;
753 case ' ':
754 case '\t':
755 if (i == first) {
756 is_key = 0;
757 in_folding = 1;
758 value = cur;
759
760 break;
761 }
762
763
764 key_len = i - first;
765
766 /* skip every thing up to the : */
767 for (j = 1; !got_colon; j++) {
768 switch(con->parse_request->ptr[j + i]) {
769 case ' ':
770 case '\t':
771 /* skip WS */
772 continue;
773 case ':':
774 /* ok, done; handle the colon the usual way */
775
776 i += j - 1;
777 got_colon = 1;
778 is_ws_after_key = 1; /* we already know the key length */
779
780 break;
781 default:
782 /* error */
783
784 if (srv->srvconf.log_request_header_on_error) {
785 log_error_write(srv, __FILE__, __LINE__, "s", "WS character in key -> 400");
786 log_error_write(srv, __FILE__, __LINE__, "Sb",
787 "request-header:\n",
788 con->request.request);
789 }
790
791 con->http_status = 400;
792 con->response.keep_alive = 0;
793 con->keep_alive = 0;
794
795 return 0;
796 }
797 }
798
799 break;
800 case '\r':
801 if (con->parse_request->ptr[i+1] == '\n' && i == first) {
802 /* End of Header */
803 con->parse_request->ptr[i] = '\0';
804 con->parse_request->ptr[i+1] = '\0';
805
806 i++;
807
808 done = 1;
809 } else {
810 if (srv->srvconf.log_request_header_on_error) {
811 log_error_write(srv, __FILE__, __LINE__, "s", "CR without LF -> 400");
812 log_error_write(srv, __FILE__, __LINE__, "Sb",
813 "request-header:\n",
814 con->request.request);
815 }
816
817 con->http_status = 400;
818 con->keep_alive = 0;
819 con->response.keep_alive = 0;
820 return 0;
821 }
822 break;
823 default:
824 if (http_header_strict ? (*cur < 32 || ((unsigned char)*cur) >= 127) : *cur == '\0') {
825 con->http_status = 400;
826 con->keep_alive = 0;
827 con->response.keep_alive = 0;
828
829 if (srv->srvconf.log_request_header_on_error) {
830 log_error_write(srv, __FILE__, __LINE__, "sbsds",
831 "invalid character in key", con->request.request, cur, *cur, "-> 400");
832
833 log_error_write(srv, __FILE__, __LINE__, "Sb",
834 "request-header:\n",
835 con->request.request);
836 }
837
838 return 0;
839 }
840 /* ok */
841 break;
842 }
843 } else {
844 switch(*cur) {
845 case '\r':
846 if (con->parse_request->ptr[i+1] == '\n') {
847 data_string *ds = NULL;
848
849 /* End of Headerline */
850 con->parse_request->ptr[i] = '\0';
851 con->parse_request->ptr[i+1] = '\0';
852
853 if (in_folding) {
854 buffer *key_b;
855 /**
856 * we use a evil hack to handle the line-folding
857 *
858 * As array_insert_unique() deletes 'ds' in the case of a duplicate
859 * ds points somewhere and we get a evil crash. As a solution we keep the old
860 * "key" and get the current value from the hash and append us
861 *
862 * */
863
864 if (!key || !key_len) {
865 /* 400 */
866
867 if (srv->srvconf.log_request_header_on_error) {
868 log_error_write(srv, __FILE__, __LINE__, "s", "WS at the start of first line -> 400");
869
870 log_error_write(srv, __FILE__, __LINE__, "Sb",
871 "request-header:\n",
872 con->request.request);
873 }
874
875
876 con->http_status = 400;
877 con->keep_alive = 0;
878 con->response.keep_alive = 0;
879 return 0;
880 }
881
882 key_b = buffer_init();
883 buffer_copy_string_len(key_b, key, key_len);
884
885 if (NULL != (ds = (data_string *)array_get_element(con->request.headers, key_b->ptr))) {
886 buffer_append_string(ds->value, value);
887 }
888
889 buffer_free(key_b);
890 } else {
891 int s_len;
892 key = con->parse_request->ptr + first;
893
894 s_len = cur - value;
895
896 /* strip trailing white-spaces */
897 for (; s_len > 0 &&
898 (value[s_len - 1] == ' ' ||
899 value[s_len - 1] == '\t'); s_len--);
900
901 value[s_len] = '\0';
902
903 if (s_len > 0) {
904 int cmp = 0;
905 if (NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {
906 ds = data_string_init();
907 }
908 buffer_copy_string_len(ds->key, key, key_len);
909 buffer_copy_string_len(ds->value, value, s_len);
910
911 /* retreive values
912 *
913 *
914 * the list of options is sorted to simplify the search
915 */
916
917 if (0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Connection")))) {
918 array *vals;
919 size_t vi;
920
921 /* split on , */
922
923 vals = srv->split_vals;
924
925 array_reset(vals);
926
927 http_request_split_value(vals, ds->value);
928
929 for (vi = 0; vi < vals->used; vi++) {
930 data_string *dsv = (data_string *)vals->data[vi];
931
932 if (0 == buffer_caseless_compare(CONST_BUF_LEN(dsv->value), CONST_STR_LEN("keep-alive"))) {
933 keep_alive_set = HTTP_CONNECTION_KEEPALIVE;
934
935 break;
936 } else if (0 == buffer_caseless_compare(CONST_BUF_LEN(dsv->value), CONST_STR_LEN("close"))) {
937 keep_alive_set = HTTP_CONNECTION_CLOSE;
938
939 break;
940 }
941 }
942
943 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) {
944 char *err;
945 unsigned long int r;
946 size_t j, jlen;
947
948 if (con_length_set) {
949 con->http_status = 400;
950 con->keep_alive = 0;
951
952 if (srv->srvconf.log_request_header_on_error) {
953 log_error_write(srv, __FILE__, __LINE__, "s",
954 "duplicate Content-Length-header -> 400");
955 log_error_write(srv, __FILE__, __LINE__, "Sb",
956 "request-header:\n",
957 con->request.request);
958 }
959 array_insert_unique(con->request.headers, (data_unset *)ds);
960 return 0;
961 }
962
963 jlen = buffer_string_length(ds->value);
964 for (j = 0; j < jlen; j++) {
965 char c = ds->value->ptr[j];
966 if (!isdigit((unsigned char)c)) {
967 log_error_write(srv, __FILE__, __LINE__, "sbs",
968 "content-length broken:", ds->value, "-> 400");
969
970 con->http_status = 400;
971 con->keep_alive = 0;
972
973 array_insert_unique(con->request.headers, (data_unset *)ds);
974 return 0;
975 }
976 }
977
978 r = strtoul(ds->value->ptr, &err, 10);
979
980 if (*err == '\0') {
981 con_length_set = 1;
982 con->request.content_length = r;
983 } else {
984 log_error_write(srv, __FILE__, __LINE__, "sbs",
985 "content-length broken:", ds->value, "-> 400");
986
987 con->http_status = 400;
988 con->keep_alive = 0;
989
990 array_insert_unique(con->request.headers, (data_unset *)ds);
991 return 0;
992 }
993 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Type")))) {
994 /* if dup, only the first one will survive */
995 if (!con->request.http_content_type) {
996 con->request.http_content_type = ds->value->ptr;
997 } else {
998 con->http_status = 400;
999 con->keep_alive = 0;
1000
1001 if (srv->srvconf.log_request_header_on_error) {
1002 log_error_write(srv, __FILE__, __LINE__, "s",
1003 "duplicate Content-Type-header -> 400");
1004 log_error_write(srv, __FILE__, __LINE__, "Sb",
1005 "request-header:\n",
1006 con->request.request);
1007 }
1008 array_insert_unique(con->request.headers, (data_unset *)ds);
1009 return 0;
1010 }
1011 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Expect")))) {
1012 /* HTTP 2616 8.2.3
1013 * Expect: 100-continue
1014 *
1015 * -> (10.1.1) 100 (read content, process request, send final status-code)
1016 * -> (10.4.18) 417 (close)
1017 *
1018 * (not handled at all yet, we always send 417 here)
1019 *
1020 * What has to be added ?
1021 * 1. handling of chunked request body
1022 * 2. out-of-order sending from the HTTP/1.1 100 Continue
1023 * header
1024 *
1025 */
1026
1027 if (srv->srvconf.reject_expect_100_with_417 && 0 == buffer_caseless_compare(CONST_BUF_LEN(ds->value), CONST_STR_LEN("100-continue"))) {
1028 con->http_status = 417;
1029 con->keep_alive = 0;
1030 array_insert_unique(con->request.headers, (data_unset *)ds);
1031 return 0;
1032 }
1033 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Host")))) {
1034 if (reqline_host) {
1035 /* ignore all host: headers as we got the host in the request line */
1036 ds->free((data_unset*) ds);
1037 ds = NULL;
1038 } else if (!con->request.http_host) {
1039 con->request.http_host = ds->value;
1040 } else {
1041 con->http_status = 400;
1042 con->keep_alive = 0;
1043
1044 if (srv->srvconf.log_request_header_on_error) {
1045 log_error_write(srv, __FILE__, __LINE__, "s",
1046 "duplicate Host-header -> 400");
1047 log_error_write(srv, __FILE__, __LINE__, "Sb",
1048 "request-header:\n",
1049 con->request.request);
1050 }
1051 array_insert_unique(con->request.headers, (data_unset *)ds);
1052 return 0;
1053 }
1054 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-Modified-Since")))) {
1055 /* Proxies sometimes send dup headers
1056 * if they are the same we ignore the second
1057 * if not, we raise an error */
1058 if (!con->request.http_if_modified_since) {
1059 con->request.http_if_modified_since = ds->value->ptr;
1060 } else if (0 == strcasecmp(con->request.http_if_modified_since,
1061 ds->value->ptr)) {
1062 /* ignore it if they are the same */
1063
1064 ds->free((data_unset *)ds);
1065 ds = NULL;
1066 } else {
1067 con->http_status = 400;
1068 con->keep_alive = 0;
1069
1070 if (srv->srvconf.log_request_header_on_error) {
1071 log_error_write(srv, __FILE__, __LINE__, "s",
1072 "duplicate If-Modified-Since header -> 400");
1073 log_error_write(srv, __FILE__, __LINE__, "Sb",
1074 "request-header:\n",
1075 con->request.request);
1076 }
1077 array_insert_unique(con->request.headers, (data_unset *)ds);
1078 return 0;
1079 }
1080 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-None-Match")))) {
1081 /* if dup, only the first one will survive */
1082 if (!con->request.http_if_none_match) {
1083 con->request.http_if_none_match = ds->value->ptr;
1084 } else {
1085 ds->free((data_unset*) ds);
1086 ds = NULL;
1087 }
1088 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Range")))) {
1089 if (!con->request.http_range) {
1090 /* bytes=.*-.* */
1091
1092 if (0 == strncasecmp(ds->value->ptr, "bytes=", 6) &&
1093 NULL != strchr(ds->value->ptr+6, '-')) {
1094
1095 /* if dup, only the first one will survive */
1096 con->request.http_range = ds->value->ptr + 6;
1097 }
1098 } else {
1099 con->http_status = 400;
1100 con->keep_alive = 0;
1101
1102 if (srv->srvconf.log_request_header_on_error) {
1103 log_error_write(srv, __FILE__, __LINE__, "s",
1104 "duplicate Range-header -> 400");
1105 log_error_write(srv, __FILE__, __LINE__, "Sb",
1106 "request-header:\n",
1107 con->request.request);
1108 }
1109 array_insert_unique(con->request.headers, (data_unset *)ds);
1110 return 0;
1111 }
1112 }
1113
1114 if (ds) array_insert_unique(con->request.headers, (data_unset *)ds);
1115 } else {
1116 /* empty header-fields are not allowed by HTTP-RFC, we just ignore them */
1117 }
1118 }
1119
1120 i++;
1121 first = i+1;
1122 is_key = 1;
1123 value = NULL;
1124 #if 0
1125 /**
1126 * for Bug 1230 keep the key_len a live
1127 */
1128 key_len = 0;
1129 #endif
1130 in_folding = 0;
1131 } else {
1132 if (srv->srvconf.log_request_header_on_error) {
1133 log_error_write(srv, __FILE__, __LINE__, "sbs",
1134 "CR without LF", con->request.request, "-> 400");
1135 }
1136
1137 con->http_status = 400;
1138 con->keep_alive = 0;
1139 con->response.keep_alive = 0;
1140 return 0;
1141 }
1142 break;
1143 case ' ':
1144 case '\t':
1145 /* strip leading WS */
1146 if (value == cur) value = cur+1;
1147 break;
1148 default:
1149 if (http_header_strict ? (*cur >= 0 && *cur < 32) : *cur == '\0') {
1150 if (srv->srvconf.log_request_header_on_error) {
1151 log_error_write(srv, __FILE__, __LINE__, "sds",
1152 "invalid char in header", (int)*cur, "-> 400");
1153 }
1154
1155 con->http_status = 400;
1156 con->keep_alive = 0;
1157
1158 return 0;
1159 }
1160 break;
1161 }
1162 }
1163 }
1164
1165 con->header_len = i;
1166
1167 /* do some post-processing */
1168
1169 if (con->request.http_version == HTTP_VERSION_1_1) {
1170 if (keep_alive_set != HTTP_CONNECTION_CLOSE) {
1171 /* no Connection-Header sent */
1172
1173 /* HTTP/1.1 -> keep-alive default TRUE */
1174 con->keep_alive = 1;
1175 } else {
1176 con->keep_alive = 0;
1177 }
1178
1179 /* RFC 2616, 14.23 */
1180 if (con->request.http_host == NULL ||
1181 buffer_string_is_empty(con->request.http_host)) {
1182 con->http_status = 400;
1183 con->response.keep_alive = 0;
1184 con->keep_alive = 0;
1185
1186 if (srv->srvconf.log_request_header_on_error) {
1187 log_error_write(srv, __FILE__, __LINE__, "s", "HTTP/1.1 but Host missing -> 400");
1188 log_error_write(srv, __FILE__, __LINE__, "Sb",
1189 "request-header:\n",
1190 con->request.request);
1191 }
1192 return 0;
1193 }
1194 } else {
1195 if (keep_alive_set == HTTP_CONNECTION_KEEPALIVE) {
1196 /* no Connection-Header sent */
1197
1198 /* HTTP/1.0 -> keep-alive default FALSE */
1199 con->keep_alive = 1;
1200 } else {
1201 con->keep_alive = 0;
1202 }
1203 }
1204
1205 /* check hostname field if it is set */
1206 if (!buffer_is_empty(con->request.http_host) &&
1207 (((con->conf.http_parseopts & HTTP_PARSEOPT_HOST_STRICT) &&
1208 0 != request_check_hostname(con->request.http_host))
1209 || ((con->conf.http_parseopts & HTTP_PARSEOPT_HOST_NORMALIZE) &&
1210 0 != http_request_host_normalize(con->request.http_host)))) {
1211
1212 if (srv->srvconf.log_request_header_on_error) {
1213 log_error_write(srv, __FILE__, __LINE__, "s",
1214 "Invalid Hostname -> 400");
1215 log_error_write(srv, __FILE__, __LINE__, "Sb",
1216 "request-header:\n",
1217 con->request.request);
1218 }
1219
1220 con->http_status = 400;
1221 con->response.keep_alive = 0;
1222 con->keep_alive = 0;
1223
1224 return 0;
1225 }
1226
1227 switch(con->request.http_method) {
1228 case HTTP_METHOD_GET:
1229 case HTTP_METHOD_HEAD:
1230 /* content-length is forbidden for those */
1231 if (con_length_set && con->request.content_length != 0) {
1232 /* content-length is missing */
1233 log_error_write(srv, __FILE__, __LINE__, "s",
1234 "GET/HEAD with content-length -> 400");
1235
1236 con->keep_alive = 0;
1237 con->http_status = 400;
1238 return 0;
1239 }
1240 break;
1241 case HTTP_METHOD_POST:
1242 /* content-length is required for them */
1243 if (!con_length_set) {
1244 /* content-length is missing */
1245 log_error_write(srv, __FILE__, __LINE__, "s",
1246 "POST-request, but content-length missing -> 411");
1247
1248 con->keep_alive = 0;
1249 con->http_status = 411;
1250 return 0;
1251
1252 }
1253 break;
1254 default:
1255 /* require Content-Length if request contains request body */
1256 if (array_get_element(con->request.headers, "Transfer-Encoding")) {
1257 /* presence of Transfer-Encoding in request headers requires "chunked"
1258 * be final encoding in HTTP/1.1. Return 411 Length Required as
1259 * lighttpd does not support request input transfer-encodings */
1260 con->keep_alive = 0;
1261 con->http_status = 411; /* 411 Length Required */
1262 return 0;
1263 }
1264 break;
1265 }
1266
1267
1268 /* check if we have read post data */
1269 if (con_length_set) {
1270 /* don't handle more the SSIZE_MAX bytes in content-length */
1271 if (con->request.content_length > SSIZE_MAX) {
1272 con->http_status = 413;
1273 con->keep_alive = 0;
1274
1275 log_error_write(srv, __FILE__, __LINE__, "sos",
1276 "request-size too long:", (off_t) con->request.content_length, "-> 413");
1277 return 0;
1278 }
1279
1280 /* divide by 1024 as srvconf.max_request_size is in kBytes */
1281 if (srv->srvconf.max_request_size != 0 &&
1282 (con->request.content_length >> 10) > srv->srvconf.max_request_size) {
1283 /* the request body itself is larger then
1284 * our our max_request_size
1285 */
1286
1287 con->http_status = 413;
1288 con->keep_alive = 0;
1289
1290 log_error_write(srv, __FILE__, __LINE__, "sos",
1291 "request-size too long:", (off_t) con->request.content_length, "-> 413");
1292 return 0;
1293 }
1294
1295
1296 /* we have content */
1297 if (con->request.content_length != 0) {
1298 return 1;
1299 }
1300 }
1301
1302 return 0;
1303 }
1304
1305 int http_request_header_finished(server *srv, connection *con) {
1306 UNUSED(srv);
1307
1308 if (buffer_string_length(con->request.request) < 4) return 0;
1309
1310 if (0 == memcmp(con->request.request->ptr + buffer_string_length(con->request.request) - 4, CONST_STR_LEN("\r\n\r\n"))) return 1;
1311 if (NULL != strstr(con->request.request->ptr, "\r\n\r\n")) return 1;
1312
1313 return 0;
1314 }
A fast webserver with minimal memory-footprint (lighttpd)