tests/core-request.t

   1 #!/usr/bin/env perl
   2 BEGIN {
   3         # add current source dir to the include-path
   4         # we need this for make distcheck
   5         (my $srcdir = $0) =~ s,/[^/]+$,/,;
   6         unshift @INC, $srcdir;
   7 }
   8
   9 use strict;
  10 use IO::Socket;
  11 use Test::More tests => 38;
  12 use LightyTest;
  13
  14 my $tf = LightyTest->new();
  15 my $t;
  16
  17 ok($tf->start_proc == 0, "Starting lighttpd") or die();
  18
  19 ## Low-Level Request-Header Parsing - URI
  20
  21 $t->{REQUEST}  = ( <<EOF
  22 GET /index%2ehtml HTTP/1.0
  23 EOF
  24  );
  25 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  26 ok($tf->handle_http($t) == 0, 'URL-encoding');
  27
  28 $t->{REQUEST}  = ( <<EOF
  29 GET /index.html%00 HTTP/1.0
  30 EOF
  31  );
  32 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
  33 ok($tf->handle_http($t) == 0, 'URL-encoding, %00');
  34
  35
  36
  37 ## Low-Level Request-Header Parsing - Host
  38
  39 $t->{REQUEST}  = ( <<EOF
  40 GET / HTTP/1.0
  41 Host: www.example.org
  42 EOF
  43  );
  44 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  45 ok($tf->handle_http($t) == 0, 'hostname');
  46
  47 $t->{REQUEST}  = ( <<EOF
  48 GET / HTTP/1.0
  49 Host: 127.0.0.1
  50 EOF
  51  );
  52 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  53 ok($tf->handle_http($t) == 0, 'IPv4 address');
  54
  55 $t->{REQUEST}  = ( <<EOF
  56 GET / HTTP/1.0
  57 Host: [::1]
  58 EOF
  59  );
  60 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  61 ok($tf->handle_http($t) == 0, 'IPv6 address');
  62
  63 $t->{REQUEST}  = ( <<EOF
  64 GET / HTTP/1.0
  65 Host: www.example.org:80
  66 EOF
  67  );
  68 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  69 ok($tf->handle_http($t) == 0, 'hostname + port');
  70
  71 $t->{REQUEST}  = ( <<EOF
  72 GET / HTTP/1.0
  73 Host: 127.0.0.1:80
  74 EOF
  75  );
  76 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  77 ok($tf->handle_http($t) == 0, 'IPv4 address + port');
  78
  79 $t->{REQUEST}  = ( <<EOF
  80 GET / HTTP/1.0
  81 Host: [::1]:80
  82 EOF
  83  );
  84 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
  85 ok($tf->handle_http($t) == 0, 'IPv6 address + port');
  86
  87 $t->{REQUEST}  = ( <<EOF
  88 GET / HTTP/1.0
  89 Host: ../123.org
  90 EOF
  91  );
  92 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
  93 ok($tf->handle_http($t) == 0, 'directory traversal');
  94
  95 $t->{REQUEST}  = ( <<EOF
  96 GET / HTTP/1.0
  97 Host: .jsdh.sfdg.sdfg.
  98 EOF
  99  );
 100 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 101 ok($tf->handle_http($t) == 0, 'leading and trailing dot');
 102
 103 $t->{REQUEST}  = ( <<EOF
 104 GET / HTTP/1.0
 105 Host: jsdh.sfdg.sdfg.
 106 EOF
 107  );
 108 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
 109 ok($tf->handle_http($t) == 0, 'trailing dot is ok');
 110
 111 $t->{REQUEST}  = ( <<EOF
 112 GET / HTTP/1.0
 113 Host: .jsdh.sfdg.sdfg
 114 EOF
 115  );
 116 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 117 ok($tf->handle_http($t) == 0, 'leading dot');
 118
 119
 120 $t->{REQUEST}  = ( <<EOF
 121 GET / HTTP/1.0
 122 Host: jsdh..sfdg.sdfg
 123 EOF
 124  );
 125 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 126 ok($tf->handle_http($t) == 0, 'two dots');
 127
 128 $t->{REQUEST}  = ( <<EOF
 129 GET / HTTP/1.0
 130 Host: jsdh.sfdg.sdfg:asd
 131 EOF
 132  );
 133 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 134 ok($tf->handle_http($t) == 0, 'broken port-number');
 135
 136 $t->{REQUEST}  = ( <<EOF
 137 GET / HTTP/1.0
 138 Host: jsdh.sfdg.sdfg:-1
 139 EOF
 140  );
 141 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 142 ok($tf->handle_http($t) == 0, 'negative port-number');
 143
 144
 145 $t->{REQUEST}  = ( <<EOF
 146 GET / HTTP/1.0
 147 Host: :80
 148 EOF
 149  );
 150 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 151 ok($tf->handle_http($t) == 0, 'port given but host missing');
 152
 153 $t->{REQUEST}  = ( <<EOF
 154 GET / HTTP/1.0
 155 Host: .jsdh.sfdg.:sdfg.
 156 EOF
 157  );
 158 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 159 ok($tf->handle_http($t) == 0, 'port and host are broken');
 160
 161 $t->{REQUEST}  = ( <<EOF
 162 GET / HTTP/1.0
 163 Host: a.b-c.d123
 164 EOF
 165  );
 166 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
 167 ok($tf->handle_http($t) == 0, 'allowed characters in host-name');
 168
 169 $t->{REQUEST}  = ( <<EOF
 170 GET / HTTP/1.0
 171 Host: -a.c
 172 EOF
 173  );
 174 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 175 ok($tf->handle_http($t) == 0, 'leading dash');
 176
 177 $t->{REQUEST}  = ( <<EOF
 178 GET / HTTP/1.0
 179 Host: .
 180 EOF
 181  );
 182 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 183 ok($tf->handle_http($t) == 0, 'dot only');
 184
 185 $t->{REQUEST}  = ( <<EOF
 186 GET / HTTP/1.0
 187 Host: a192.168.2.10:1234
 188 EOF
 189  );
 190 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 191 ok($tf->handle_http($t) == 0, 'broken IPv4 address - non-digit');
 192
 193 $t->{REQUEST}  = ( <<EOF
 194 GET / HTTP/1.0
 195 Host: 192.168.2:1234
 196 EOF
 197  );
 198 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 199 ok($tf->handle_http($t) == 0, 'broken IPv4 address - too short');
 200
 201 $t->{REQUEST}  = ( <<EOF
 202 GET / HTTP/1.0
 203 Host: [::1]' UNION SELECT '/
 204 EOF
 205  );
 206 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 207 ok($tf->handle_http($t) == 0, 'IPv6 address + SQL injection');
 208
 209 $t->{REQUEST}  = ( <<EOF
 210 GET / HTTP/1.0
 211 Host: [::1]/../../../
 212 EOF
 213  );
 214 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 215 ok($tf->handle_http($t) == 0, 'IPv6 address + path traversal');
 216
 217
 218
 219 ## Low-Level Request-Header Parsing - Content-Length
 220
 221
 222 $t->{REQUEST}  = ( <<EOF
 223 GET /index.html HTTP/1.0
 224 Content-Length: -2
 225 EOF
 226  );
 227 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 228 ok($tf->handle_http($t) == 0, 'negative Content-Length');
 229
 230 $t->{REQUEST}  = ( <<EOF
 231 POST /12345.txt HTTP/1.0
 232 Host: 123.example.org
 233 Content-Length: 2147483648
 234 EOF
 235  );
 236 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 413 } ];
 237 ok($tf->handle_http($t) == 0, 'Content-Length > max-request-size');
 238
 239 $t->{REQUEST}  = ( <<EOF
 240 POST /12345.txt HTTP/1.0
 241 Host: 123.example.org
 242 Content-Length:
 243 EOF
 244  );
 245 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 411 } ];
 246 ok($tf->handle_http($t) == 0, 'Content-Length is empty');
 247
 248 print "\nLow-Level Request-Header Parsing - HTTP/1.1\n";
 249 $t->{REQUEST}  = ( <<EOF
 250 GET / HTTP/1.1
 251 EOF
 252  );
 253 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.1', 'HTTP-Status' => 400 } ];
 254 ok($tf->handle_http($t) == 0, 'Host missing');
 255
 256 print "\nContent-Type\n";
 257 $t->{REQUEST}  = ( <<EOF
 258 GET /image.jpg HTTP/1.0
 259 EOF
 260  );
 261 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ];
 262 ok($tf->handle_http($t) == 0, 'Content-Type - image/jpeg');
 263
 264 $t->{REQUEST}  = ( <<EOF
 265 GET /image.JPG HTTP/1.0
 266 EOF
 267  );
 268 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'image/jpeg' } ];
 269 ok($tf->handle_http($t) == 0, 'Content-Type - image/jpeg (upper case)');
 270
 271 $t->{REQUEST}  = ( <<EOF
 272 GET /a HTTP/1.0
 273 EOF
 274  );
 275 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Type' => 'application/octet-stream' } ];
 276 ok($tf->handle_http($t) == 0, 'Content-Type - unknown');
 277
 278 $t->{REQUEST}  = ( <<EOF
 279 GET  HTTP/1.0
 280 EOF
 281  );
 282 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 283 ok($tf->handle_http($t) == 0, 'empty request-URI');
 284
 285 $t->{REQUEST}  = ( <<EOF
 286 GET /Foo.txt HTTP/1.0
 287 EOF
 288  );
 289 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
 290 ok($tf->handle_http($t) == 0, 'uppercase filenames');
 291
 292 $t->{REQUEST}  = ( <<EOF
 293 GET / HTTP/1.0
 294 Location: foo
 295 Location: foobar
 296   baz
 297 EOF
 298  );
 299 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
 300 ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping');
 301
 302 $t->{REQUEST}  = ( <<EOF
 303 GET / HTTP/1.0
 304 Location:
 305 Location: foobar
 306   baz
 307 EOF
 308  );
 309 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
 310 ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 2');
 311
 312 $t->{REQUEST}  = ( <<EOF
 313 GET / HTTP/1.0
 314 A:
 315 Location: foobar
 316   baz
 317 EOF
 318  );
 319 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
 320 ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 3');
 321
 322
 323
 324
 325 ok($tf->stop_proc == 0, "Stopping lighttpd");
 326