search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[mod_cgi] quiet trace if mod_cgi sends SIGTERM (fixes #2838)
[lighttpd.git] / src / request.c
blob501560814d8b6c36a90d213527b32f024908c57e
1 #include "first.h"
2
3 #include "request.h"
4 #include "keyvalue.h"
5 #include "log.h"
6 #include "sock_addr.h"
7
8 #include <sys/stat.h>
9
10 #include <limits.h>
11 #include <stdlib.h>
12 #include <string.h>
13
14 static int request_check_hostname(buffer *host) {
15 enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL;
16 size_t i;
17 int label_len = 0;
18 size_t host_len, hostport_len;
19 char *colon;
20 int is_ip = -1; /* -1 don't know yet, 0 no, 1 yes */
21 int level = 0;
22
23 /*
24 * hostport = host [ ":" port ]
25 * host = hostname | IPv4address | IPv6address
26 * hostname = *( domainlabel "." ) toplabel [ "." ]
27 * domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
28 * toplabel = alpha | alpha *( alphanum | "-" ) alphanum
29 * IPv4address = 1*digit "." 1*digit "." 1*digit "." 1*digit
30 * IPv6address = "[" ... "]"
31 * port = *digit
32 */
33
34 /* IPv6 adress */
35 if (host->ptr[0] == '[') {
36 char *c = host->ptr + 1;
37 int colon_cnt = 0;
38
39 /* check the address inside [...] */
40 for (; *c && *c != ']'; c++) {
41 if (*c == ':') {
42 if (++colon_cnt > 7) {
43 return -1;
44 }
45 } else if (!light_isxdigit(*c) && '.' != *c) {
46 return -1;
47 }
48 }
49
50 /* missing ] */
51 if (!*c) {
52 return -1;
53 }
54
55 /* check port */
56 if (*(c+1) == ':') {
57 for (c += 2; *c; c++) {
58 if (!light_isdigit(*c)) {
59 return -1;
60 }
61 }
62 }
63 else if ('\0' != *(c+1)) {
64 /* only a port is allowed to follow [...] */
65 return -1;
66 }
67 return 0;
68 }
69
70 hostport_len = host_len = buffer_string_length(host);
71
72 if (NULL != (colon = memchr(host->ptr, ':', host_len))) {
73 char *c = colon + 1;
74
75 /* check portnumber */
76 for (; *c; c++) {
77 if (!light_isdigit(*c)) return -1;
78 }
79
80 /* remove the port from the host-len */
81 host_len = colon - host->ptr;
82 }
83
84 /* Host is empty */
85 if (host_len == 0) return -1;
86
87 /* if the hostname ends in a "." strip it */
88 if (host->ptr[host_len-1] == '.') {
89 /* shift port info one left */
90 if (NULL != colon) memmove(colon-1, colon, hostport_len - host_len);
91 buffer_string_set_length(host, --hostport_len);
92 if (--host_len == 0) return -1;
93 }
94
95
96 /* scan from the right and skip the \0 */
97 for (i = host_len; i-- > 0; ) {
98 const char c = host->ptr[i];
99
100 switch (stage) {
101 case TOPLABEL:
102 if (c == '.') {
103 /* only switch stage, if this is not the last character */
104 if (i != host_len - 1) {
105 if (label_len == 0) {
106 return -1;
107 }
108
109 /* check the first character at right of the dot */
110 if (is_ip == 0) {
111 if (!light_isalnum(host->ptr[i+1])) {
112 return -1;
113 }
114 } else if (!light_isdigit(host->ptr[i+1])) {
115 is_ip = 0;
116 } else if ('-' == host->ptr[i+1]) {
117 return -1;
118 } else {
119 /* just digits */
120 is_ip = 1;
121 }
122
123 stage = DOMAINLABEL;
124
125 label_len = 0;
126 level++;
127 } else if (i == 0) {
128 /* just a dot and nothing else is evil */
129 return -1;
130 }
131 } else if (i == 0) {
132 /* the first character of the hostname */
133 if (!light_isalnum(c)) {
134 return -1;
135 }
136 label_len++;
137 } else {
138 if (c != '-' && !light_isalnum(c)) {
139 return -1;
140 }
141 if (is_ip == -1) {
142 if (!light_isdigit(c)) is_ip = 0;
143 }
144 label_len++;
145 }
146
147 break;
148 case DOMAINLABEL:
149 if (is_ip == 1) {
150 if (c == '.') {
151 if (label_len == 0) {
152 return -1;
153 }
154
155 label_len = 0;
156 level++;
157 } else if (!light_isdigit(c)) {
158 return -1;
159 } else {
160 label_len++;
161 }
162 } else {
163 if (c == '.') {
164 if (label_len == 0) {
165 return -1;
166 }
167
168 /* c is either - or alphanum here */
169 if ('-' == host->ptr[i+1]) {
170 return -1;
171 }
172
173 label_len = 0;
174 level++;
175 } else if (i == 0) {
176 if (!light_isalnum(c)) {
177 return -1;
178 }
179 label_len++;
180 } else {
181 if (c != '-' && !light_isalnum(c)) {
182 return -1;
183 }
184 label_len++;
185 }
186 }
187
188 break;
189 }
190 }
191
192 /* a IP has to consist of 4 parts */
193 if (is_ip == 1 && level != 3) {
194 return -1;
195 }
196
197 if (label_len == 0) {
198 return -1;
199 }
200
201 return 0;
202 }
203
204 int http_request_host_normalize(buffer *b, int scheme_port) {
205 /*
206 * check for and canonicalize numeric IP address and portnum (optional)
207 * (IP address may be followed by ":portnum" (optional))
208 * - IPv6: "[...]"
209 * - IPv4: "x.x.x.x"
210 * - IPv4: 12345678 (32-bit decimal number)
211 * - IPv4: 012345678 (32-bit octal number)
212 * - IPv4: 0x12345678 (32-bit hex number)
213 *
214 * allow any chars (except ':' and '\0' and stray '[' or ']')
215 * (other code may check chars more strictly or more pedantically)
216 * ':' delimits (optional) port at end of string
217 * "[]" wraps IPv6 address literal
218 * '\0' should have been rejected earlier were it present
219 *
220 * any chars includes, but is not limited to:
221 * - allow '-' any where, even at beginning of word
222 * (security caution: might be confused for cmd flag if passed to shell)
223 * - allow all-digit TLDs
224 * (might be mistaken for IPv4 addr by inet_aton()
225 * unless non-digits appear in subdomain)
226 */
227
228 /* Note: not using getaddrinfo() since it does not support "[]" around IPv6
229 * and is not as lenient as inet_aton() and inet_addr() for IPv4 strings.
230 * Not using inet_pton() (when available) on IPv4 for similar reasons. */
231
232 const char * const p = b->ptr;
233 const size_t blen = buffer_string_length(b);
234 long port = 0;
235
236 if (*p != '[') {
237 char * const colon = (char *)memchr(p, ':', blen);
238 if (colon) {
239 if (*p == ':') return -1; /*(empty host then port, or naked IPv6)*/
240 if (colon[1] != '\0') {
241 char *e;
242 port = strtol(colon+1, &e, 0); /*(allow decimal, octal, hex)*/
243 if (0 < port && port <= USHRT_MAX && *e == '\0') {
244 /* valid port */
245 } else {
246 return -1;
247 }
248 } /*(else ignore stray colon at string end)*/
249 buffer_string_set_length(b, (size_t)(colon - p)); /*(remove port str)*/
250 }
251
252 if (light_isdigit(*p)) {
253 /* (IPv4 address literal or domain starting w/ digit (e.g. 3com))*/
254 sock_addr addr;
255 if (1 == sock_addr_inet_pton(&addr, p, AF_INET, 0)) {
256 sock_addr_inet_ntop_copy_buffer(b, &addr);
257 }
258 }
259 } else { /* IPv6 addr */
260 #if defined(HAVE_IPV6) && defined(HAVE_INET_PTON)
261
262 sock_addr addr;
263 char *bracket = b->ptr+blen-1;
264 char *percent = strchr(b->ptr+1, '%');
265 size_t len;
266 int rc;
267 char buf[INET6_ADDRSTRLEN+16]; /*(+16 for potential %interface name)*/
268 if (blen <= 2) return -1; /*(invalid "[]")*/
269 if (*bracket != ']') {
270 bracket = (char *)memchr(b->ptr+1, ']', blen-1);
271 if (NULL == bracket || bracket[1] != ':' || bracket - b->ptr == 1){
272 return -1;
273 }
274 if (bracket[2] != '\0') { /*(ignore stray colon at string end)*/
275 char *e;
276 port = strtol(bracket+2, &e, 0); /*(allow decimal, octal, hex)*/
277 if (0 < port && port <= USHRT_MAX && *e == '\0') {
278 /* valid port */
279 } else {
280 return -1;
281 }
282 }
283 }
284
285 *bracket = '\0';/*(terminate IPv6 string)*/
286 if (percent) *percent = '\0'; /*(remove %interface from address)*/
287 rc = sock_addr_inet_pton(&addr, b->ptr+1, AF_INET6, 0);
288 if (percent) *percent = '%'; /*(restore %interface)*/
289 *bracket = ']'; /*(restore bracket)*/
290 if (1 != rc) return -1;
291
292 sock_addr_inet_ntop(&addr, buf, sizeof(buf));
293 len = strlen(buf);
294 if (percent) {
295 if (percent > bracket) return -1;
296 if (len + (size_t)(bracket - percent) >= sizeof(buf)) return -1;
297 memcpy(buf+len, percent, (size_t)(bracket - percent));
298 len += (size_t)(bracket - percent);
299 }
300 buffer_string_set_length(b, 1); /* truncate after '[' */
301 buffer_append_string_len(b, buf, len);
302 buffer_append_string_len(b, CONST_STR_LEN("]"));
303
304 #else
305
306 return -1;
307
308 #endif
309 }
310
311 if (0 != port && port != scheme_port) {
312 buffer_append_string_len(b, CONST_STR_LEN(":"));
313 buffer_append_int(b, (int)port);
314 }
315
316 return 0;
317 }
318
319 static int scheme_port (const buffer *scheme)
320 {
321 return buffer_is_equal_string(scheme, CONST_STR_LEN("https")) ? 443 : 80;
322 }
323
324 int http_request_host_policy (connection *con, buffer *b, const buffer *scheme) {
325 return (((con->conf.http_parseopts & HTTP_PARSEOPT_HOST_STRICT)
326 && 0 != request_check_hostname(b))
327 || ((con->conf.http_parseopts & HTTP_PARSEOPT_HOST_NORMALIZE)
328 && 0 != http_request_host_normalize(b, scheme_port(scheme))));
329 }
330
331 #if 0
332 #define DUMP_HEADER
333 #endif
334
335 static int http_request_split_value(array *vals, buffer *b) {
336 size_t i, len;
337 int state = 0;
338
339 const char *current;
340 const char *token_start = NULL, *token_end = NULL;
341 /*
342 * parse
343 *
344 * val1, val2, val3, val4
345 *
346 * into a array (more or less a explode() incl. striping of whitespaces
347 */
348
349 if (buffer_string_is_empty(b)) return 0;
350
351 current = b->ptr;
352 len = buffer_string_length(b);
353 for (i = 0; i <= len; ++i, ++current) {
354 data_string *ds;
355
356 switch (state) {
357 case 0: /* find start of a token */
358 switch (*current) {
359 case ' ':
360 case '\t': /* skip white space */
361 case ',': /* skip empty token */
362 break;
363 case '\0': /* end of string */
364 return 0;
365 default:
366 /* found real data, switch to state 1 to find the end of the token */
367 token_start = token_end = current;
368 state = 1;
369 break;
370 }
371 break;
372 case 1: /* find end of token and last non white space character */
373 switch (*current) {
374 case ' ':
375 case '\t':
376 /* space - don't update token_end */
377 break;
378 case ',':
379 case '\0': /* end of string also marks the end of a token */
380 if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
381 ds = data_string_init();
382 }
383
384 buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
385 array_insert_unique(vals, (data_unset *)ds);
386
387 state = 0;
388 break;
389 default:
390 /* no white space, update token_end to include current character */
391 token_end = current;
392 break;
393 }
394 break;
395 }
396 }
397
398 return 0;
399 }
400
401 static int request_uri_is_valid_char(unsigned char c) {
402 if (c <= 32) return 0;
403 if (c == 127) return 0;
404 if (c == 255) return 0;
405
406 return 1;
407 }
408
409 static int http_request_missing_CR_before_LF(server *srv, connection *con) {
410 if (srv->srvconf.log_request_header_on_error) {
411 log_error_write(srv, __FILE__, __LINE__, "s", "missing CR before LF in header -> 400");
412 log_error_write(srv, __FILE__, __LINE__, "Sb", "request-header:\n", con->request.request);
413 }
414
415 con->http_status = 400;
416 con->keep_alive = 0;
417 con->response.keep_alive = 0;
418 return 0;
419 }
420
421 int http_request_parse(server *srv, connection *con) {
422 char *uri = NULL, *proto = NULL, *method = NULL, con_length_set;
423 int is_key = 1, key_len = 0, is_ws_after_key = 0, in_folding;
424 char *value = NULL, *key = NULL;
425 char *reqline_host = NULL;
426 int reqline_hostlen = 0;
427
428 enum { HTTP_CONNECTION_UNSET, HTTP_CONNECTION_KEEPALIVE, HTTP_CONNECTION_CLOSE } keep_alive_set = HTTP_CONNECTION_UNSET;
429
430 int line = 0;
431
432 int request_line_stage = 0;
433 size_t i, first, ilen;
434
435 int done = 0;
436 const unsigned int http_header_strict = (con->conf.http_parseopts & HTTP_PARSEOPT_HEADER_STRICT);
437
438 /*
439 * Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$"
440 * Option : "^([-a-zA-Z]+): (.+)$"
441 * End : "^$"
442 */
443
444 if (con->conf.log_request_header) {
445 log_error_write(srv, __FILE__, __LINE__, "sdsdSb",
446 "fd:", con->fd,
447 "request-len:", buffer_string_length(con->request.request),
448 "\n", con->request.request);
449 }
450
451 if (con->request_count > 1 &&
452 con->request.request->ptr[0] == '\r' &&
453 con->request.request->ptr[1] == '\n') {
454 /* we are in keep-alive and might get \r\n after a previous POST request.*/
455
456 #ifdef __COVERITY__
457 if (buffer_string_length(con->request.request) < 2) {
458 con->keep_alive = 0;
459 con->http_status = 400;
460 return 0;
461 }
462 #endif
463 /* coverity[overflow_sink : FALSE] */
464 buffer_copy_string_len(con->parse_request, con->request.request->ptr + 2, buffer_string_length(con->request.request) - 2);
465 } else if (con->request_count > 0 &&
466 con->request.request->ptr[1] == '\n') {
467 /* we are in keep-alive and might get \n after a previous POST request.*/
468 if (http_header_strict) return http_request_missing_CR_before_LF(srv, con);
469 #ifdef __COVERITY__
470 if (buffer_string_length(con->request.request) < 1) {
471 con->keep_alive = 0;
472 con->http_status = 400;
473 return 0;
474 }
475 #endif
476 /* coverity[overflow_sink : FALSE] */
477 buffer_copy_string_len(con->parse_request, con->request.request->ptr + 1, buffer_string_length(con->request.request) - 1);
478 } else {
479 /* fill the local request buffer */
480 buffer_copy_buffer(con->parse_request, con->request.request);
481 }
482
483 keep_alive_set = 0;
484 con_length_set = 0;
485
486 /* parse the first line of the request
487 *
488 * should be:
489 *
490 * <method> <uri> <protocol>\r\n
491 * */
492 ilen = buffer_string_length(con->parse_request);
493 for (i = 0, first = 0; i < ilen && line == 0; i++) {
494 switch(con->parse_request->ptr[i]) {
495 case '\r':
496 if (con->parse_request->ptr[i+1] != '\n') break;
497 /* fall through */
498 case '\n':
499 {
500 http_method_t r;
501 char *nuri = NULL;
502 size_t j, jlen;
503
504 buffer_copy_string_len(con->request.request_line, con->parse_request->ptr, i);
505
506 /* \r\n -> \0\0 */
507 if (con->parse_request->ptr[i] == '\r') {
508 con->parse_request->ptr[i] = '\0';
509 ++i;
510 } else if (http_header_strict) { /* '\n' */
511 return http_request_missing_CR_before_LF(srv, con);
512 }
513 con->parse_request->ptr[i] = '\0';
514
515 if (request_line_stage != 2) {
516 con->http_status = 400;
517 con->response.keep_alive = 0;
518 con->keep_alive = 0;
519
520 if (srv->srvconf.log_request_header_on_error) {
521 log_error_write(srv, __FILE__, __LINE__, "s", "incomplete request line -> 400");
522 log_error_write(srv, __FILE__, __LINE__, "Sb",
523 "request-header:\n",
524 con->request.request);
525 }
526 return 0;
527 }
528
529 proto = con->parse_request->ptr + first;
530
531 *(uri - 1) = '\0';
532 *(proto - 1) = '\0';
533
534 /* we got the first one :) */
535 if (HTTP_METHOD_UNSET == (r = get_http_method_key(method))) {
536 con->http_status = 501;
537 con->response.keep_alive = 0;
538 con->keep_alive = 0;
539
540 if (srv->srvconf.log_request_header_on_error) {
541 log_error_write(srv, __FILE__, __LINE__, "s", "unknown http-method -> 501");
542 log_error_write(srv, __FILE__, __LINE__, "Sb",
543 "request-header:\n",
544 con->request.request);
545 }
546
547 return 0;
548 }
549
550 con->request.http_method = r;
551
552 /*
553 * RFC2616 says:
554 *
555 * HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
556 *
557 * */
558 if (0 == strncmp(proto, "HTTP/", sizeof("HTTP/") - 1)) {
559 char * major = proto + sizeof("HTTP/") - 1;
560 char * minor = strchr(major, '.');
561 char *err = NULL;
562 int major_num = 0, minor_num = 0;
563
564 int invalid_version = 0;
565
566 if (NULL == minor || /* no dot */
567 minor == major || /* no major */
568 *(minor + 1) == '\0' /* no minor */) {
569 invalid_version = 1;
570 } else {
571 *minor = '\0';
572 major_num = strtol(major, &err, 10);
573
574 if (*err != '\0') invalid_version = 1;
575
576 *minor++ = '.';
577 minor_num = strtol(minor, &err, 10);
578
579 if (*err != '\0') invalid_version = 1;
580 }
581
582 if (invalid_version) {
583 con->http_status = 400;
584 con->keep_alive = 0;
585
586 if (srv->srvconf.log_request_header_on_error) {
587 log_error_write(srv, __FILE__, __LINE__, "s", "unknown protocol -> 400");
588 log_error_write(srv, __FILE__, __LINE__, "Sb",
589 "request-header:\n",
590 con->request.request);
591 }
592 return 0;
593 }
594
595 if (major_num == 1 && minor_num == 1) {
596 con->request.http_version = con->conf.allow_http11 ? HTTP_VERSION_1_1 : HTTP_VERSION_1_0;
597 } else if (major_num == 1 && minor_num == 0) {
598 con->request.http_version = HTTP_VERSION_1_0;
599 } else {
600 con->http_status = 505;
601
602 if (srv->srvconf.log_request_header_on_error) {
603 log_error_write(srv, __FILE__, __LINE__, "s", "unknown HTTP version -> 505");
604 log_error_write(srv, __FILE__, __LINE__, "Sb",
605 "request-header:\n",
606 con->request.request);
607 }
608 return 0;
609 }
610 } else {
611 con->http_status = 400;
612 con->keep_alive = 0;
613
614 if (srv->srvconf.log_request_header_on_error) {
615 log_error_write(srv, __FILE__, __LINE__, "s", "unknown protocol -> 400");
616 log_error_write(srv, __FILE__, __LINE__, "Sb",
617 "request-header:\n",
618 con->request.request);
619 }
620 return 0;
621 }
622
623 if (*uri == '/') {
624 /* (common case) */
625 buffer_copy_string_len(con->request.uri, uri, proto - uri - 1);
626 } else if (0 == strncasecmp(uri, "http://", 7) &&
627 NULL != (nuri = strchr(uri + 7, '/'))) {
628 reqline_host = uri + 7;
629 reqline_hostlen = nuri - reqline_host;
630
631 buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
632 } else if (0 == strncasecmp(uri, "https://", 8) &&
633 NULL != (nuri = strchr(uri + 8, '/'))) {
634 reqline_host = uri + 8;
635 reqline_hostlen = nuri - reqline_host;
636
637 buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
638 } else if (!http_header_strict
639 || (HTTP_METHOD_OPTIONS == con->request.http_method && uri[0] == '*' && uri[1] == '\0')) {
640 /* everything looks good so far */
641 buffer_copy_string_len(con->request.uri, uri, proto - uri - 1);
642 } else {
643 con->http_status = 400;
644 con->keep_alive = 0;
645 log_error_write(srv, __FILE__, __LINE__, "ss", "request-URI parse error -> 400 for:", uri);
646 return 0;
647 }
648
649 /* check uri for invalid characters */
650 jlen = buffer_string_length(con->request.uri);
651 if (http_header_strict) {
652 for (j = 0; j < jlen && request_uri_is_valid_char(con->request.uri->ptr[j]); j++) ;
653 } else {
654 char *z = memchr(con->request.uri->ptr, '\0', jlen);
655 j = (NULL == z) ? jlen : (size_t)(z - con->request.uri->ptr);
656 }
657 if (j < jlen) {
658 con->http_status = 400;
659 con->keep_alive = 0;
660
661 if (srv->srvconf.log_request_header_on_error) {
662 unsigned char buf[2];
663 buf[0] = con->request.uri->ptr[j];
664 buf[1] = '\0';
665
666 if (con->request.uri->ptr[j] > 32 &&
667 con->request.uri->ptr[j] != 127) {
668 /* the character is printable -> print it */
669 log_error_write(srv, __FILE__, __LINE__, "ss",
670 "invalid character in URI -> 400",
671 buf);
672 } else {
673 /* a control-character, print ascii-code */
674 log_error_write(srv, __FILE__, __LINE__, "sd",
675 "invalid character in URI -> 400",
676 con->request.uri->ptr[j]);
677 }
678
679 log_error_write(srv, __FILE__, __LINE__, "Sb",
680 "request-header:\n",
681 con->request.request);
682 }
683
684 return 0;
685 }
686
687 buffer_copy_buffer(con->request.orig_uri, con->request.uri);
688
689 con->http_status = 0;
690
691 line++;
692 first = i+1;
693 }
694 break;
695 case ' ':
696 switch(request_line_stage) {
697 case 0:
698 /* GET|POST|... */
699 method = con->parse_request->ptr + first;
700 first = i + 1;
701 break;
702 case 1:
703 /* /foobar/... */
704 uri = con->parse_request->ptr + first;
705 first = i + 1;
706 break;
707 default:
708 /* ERROR, one space to much */
709 con->http_status = 400;
710 con->response.keep_alive = 0;
711 con->keep_alive = 0;
712
713 if (srv->srvconf.log_request_header_on_error) {
714 log_error_write(srv, __FILE__, __LINE__, "s", "overlong request line -> 400");
715 log_error_write(srv, __FILE__, __LINE__, "Sb",
716 "request-header:\n",
717 con->request.request);
718 }
719 return 0;
720 }
721
722 request_line_stage++;
723 break;
724 }
725 }
726
727 in_folding = 0;
728
729 if (buffer_string_is_empty(con->request.uri)) {
730 con->http_status = 400;
731 con->response.keep_alive = 0;
732 con->keep_alive = 0;
733
734 if (srv->srvconf.log_request_header_on_error) {
735 log_error_write(srv, __FILE__, __LINE__, "s", "no uri specified -> 400");
736 log_error_write(srv, __FILE__, __LINE__, "Sb",
737 "request-header:\n",
738 con->request.request);
739 }
740 return 0;
741 }
742
743 if (reqline_host) {
744 /* Insert as host header */
745 data_string *ds;
746
747 if (NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {
748 ds = data_string_init();
749 }
750
751 buffer_copy_string_len(ds->key, CONST_STR_LEN("Host"));
752 buffer_copy_string_len(ds->value, reqline_host, reqline_hostlen);
753 array_insert_unique(con->request.headers, (data_unset *)ds);
754 con->request.http_host = ds->value;
755 }
756
757 for (; i <= ilen && !done; i++) {
758 char *cur = con->parse_request->ptr + i;
759
760 if (is_key) {
761 size_t j;
762 int got_colon = 0;
763
764 /**
765 * 1*<any CHAR except CTLs or separators>
766 * CTLs == 0-31 + 127, CHAR = 7-bit ascii (0..127)
767 *
768 */
769 switch(*cur) {
770 case ':':
771 is_key = 0;
772
773 value = cur + 1;
774
775 if (is_ws_after_key == 0) {
776 key_len = i - first;
777 }
778 is_ws_after_key = 0;
779
780 break;
781 case '(':
782 case ')':
783 case '<':
784 case '>':
785 case '@':
786 case ',':
787 case ';':
788 case '\\':
789 case '\"':
790 case '/':
791 case '[':
792 case ']':
793 case '?':
794 case '=':
795 case '{':
796 case '}':
797 con->http_status = 400;
798 con->keep_alive = 0;
799 con->response.keep_alive = 0;
800
801 if (srv->srvconf.log_request_header_on_error) {
802 log_error_write(srv, __FILE__, __LINE__, "sbsds",
803 "invalid character in key", con->request.request, cur, *cur, "-> 400");
804
805 log_error_write(srv, __FILE__, __LINE__, "Sb",
806 "request-header:\n",
807 con->request.request);
808 }
809 return 0;
810 case ' ':
811 case '\t':
812 if (i == first) {
813 is_key = 0;
814 in_folding = 1;
815 value = cur;
816
817 break;
818 }
819
820
821 key_len = i - first;
822
823 /* skip every thing up to the : */
824 for (j = 1; !got_colon; j++) {
825 switch(con->parse_request->ptr[j + i]) {
826 case ' ':
827 case '\t':
828 /* skip WS */
829 continue;
830 case ':':
831 /* ok, done; handle the colon the usual way */
832
833 i += j - 1;
834 got_colon = 1;
835 is_ws_after_key = 1; /* we already know the key length */
836
837 break;
838 default:
839 /* error */
840
841 if (srv->srvconf.log_request_header_on_error) {
842 log_error_write(srv, __FILE__, __LINE__, "s", "WS character in key -> 400");
843 log_error_write(srv, __FILE__, __LINE__, "Sb",
844 "request-header:\n",
845 con->request.request);
846 }
847
848 con->http_status = 400;
849 con->response.keep_alive = 0;
850 con->keep_alive = 0;
851
852 return 0;
853 }
854 }
855
856 break;
857 case '\r':
858 if (con->parse_request->ptr[i+1] == '\n' && i == first) {
859 /* End of Header */
860 con->parse_request->ptr[i] = '\0';
861 con->parse_request->ptr[i+1] = '\0';
862
863 i++;
864
865 done = 1;
866 } else {
867 if (srv->srvconf.log_request_header_on_error) {
868 log_error_write(srv, __FILE__, __LINE__, "s", "CR without LF -> 400");
869 log_error_write(srv, __FILE__, __LINE__, "Sb",
870 "request-header:\n",
871 con->request.request);
872 }
873
874 con->http_status = 400;
875 con->keep_alive = 0;
876 con->response.keep_alive = 0;
877 return 0;
878 }
879 break;
880 case '\n':
881 if (http_header_strict) {
882 return http_request_missing_CR_before_LF(srv, con);
883 } else if (i == first) {
884 con->parse_request->ptr[i] = '\0';
885 done = 1;
886 break;
887 }
888 /* fall through */
889 default:
890 if (http_header_strict ? (*cur < 32 || ((unsigned char)*cur) >= 127) : *cur == '\0') {
891 con->http_status = 400;
892 con->keep_alive = 0;
893 con->response.keep_alive = 0;
894
895 if (srv->srvconf.log_request_header_on_error) {
896 log_error_write(srv, __FILE__, __LINE__, "sbsds",
897 "invalid character in key", con->request.request, cur, *cur, "-> 400");
898
899 log_error_write(srv, __FILE__, __LINE__, "Sb",
900 "request-header:\n",
901 con->request.request);
902 }
903
904 return 0;
905 }
906 /* ok */
907 break;
908 }
909 } else {
910 switch(*cur) {
911 case '\r':
912 case '\n':
913 if (*cur == '\n' || con->parse_request->ptr[i+1] == '\n') {
914 data_string *ds = NULL;
915 if (*cur == '\n') {
916 if (http_header_strict) return http_request_missing_CR_before_LF(srv, con);
917 } else { /* (con->parse_request->ptr[i+1] == '\n') */
918 con->parse_request->ptr[i] = '\0';
919 ++i;
920 }
921
922 /* End of Headerline */
923 con->parse_request->ptr[i] = '\0';
924
925 if (in_folding) {
926 /**
927 * we use a evil hack to handle the line-folding
928 *
929 * As array_insert_unique() deletes 'ds' in the case of a duplicate
930 * ds points somewhere and we get a evil crash. As a solution we keep the old
931 * "key" and get the current value from the hash and append us
932 *
933 * */
934
935 if (!key || !key_len) {
936 /* 400 */
937
938 if (srv->srvconf.log_request_header_on_error) {
939 log_error_write(srv, __FILE__, __LINE__, "s", "WS at the start of first line -> 400");
940
941 log_error_write(srv, __FILE__, __LINE__, "Sb",
942 "request-header:\n",
943 con->request.request);
944 }
945
946
947 con->http_status = 400;
948 con->keep_alive = 0;
949 con->response.keep_alive = 0;
950 return 0;
951 }
952
953 if (NULL != (ds = (data_string *)array_get_element_klen(con->request.headers, key, key_len))) {
954 buffer_append_string(ds->value, value);
955 }
956 } else {
957 int s_len;
958 key = con->parse_request->ptr + first;
959
960 s_len = cur - value;
961
962 /* strip trailing white-spaces */
963 for (; s_len > 0 &&
964 (value[s_len - 1] == ' ' ||
965 value[s_len - 1] == '\t'); s_len--);
966
967 value[s_len] = '\0';
968
969 if (s_len > 0) {
970 int cmp = 0;
971 if (NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) {
972 ds = data_string_init();
973 }
974 buffer_copy_string_len(ds->key, key, key_len);
975 buffer_copy_string_len(ds->value, value, s_len);
976
977 /* retreive values
978 *
979 *
980 * the list of options is sorted to simplify the search
981 */
982
983 if (0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Connection")))) {
984 array *vals;
985 size_t vi;
986
987 /* split on , */
988
989 vals = srv->split_vals;
990
991 array_reset(vals);
992
993 http_request_split_value(vals, ds->value);
994
995 for (vi = 0; vi < vals->used; vi++) {
996 data_string *dsv = (data_string *)vals->data[vi];
997
998 if (0 == buffer_caseless_compare(CONST_BUF_LEN(dsv->value), CONST_STR_LEN("keep-alive"))) {
999 keep_alive_set = HTTP_CONNECTION_KEEPALIVE;
1000
1001 break;
1002 } else if (0 == buffer_caseless_compare(CONST_BUF_LEN(dsv->value), CONST_STR_LEN("close"))) {
1003 keep_alive_set = HTTP_CONNECTION_CLOSE;
1004
1005 break;
1006 }
1007 }
1008
1009 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) {
1010 char *err;
1011 off_t r;
1012
1013 if (con_length_set) {
1014 con->http_status = 400;
1015 con->keep_alive = 0;
1016
1017 if (srv->srvconf.log_request_header_on_error) {
1018 log_error_write(srv, __FILE__, __LINE__, "s",
1019 "duplicate Content-Length-header -> 400");
1020 log_error_write(srv, __FILE__, __LINE__, "Sb",
1021 "request-header:\n",
1022 con->request.request);
1023 }
1024 array_insert_unique(con->request.headers, (data_unset *)ds);
1025 return 0;
1026 }
1027
1028 r = strtoll(ds->value->ptr, &err, 10);
1029
1030 if (*err == '\0' && r >= 0) {
1031 con_length_set = 1;
1032 con->request.content_length = r;
1033 } else {
1034 log_error_write(srv, __FILE__, __LINE__, "sbs",
1035 "content-length broken:", ds->value, "-> 400");
1036
1037 con->http_status = 400;
1038 con->keep_alive = 0;
1039
1040 array_insert_unique(con->request.headers, (data_unset *)ds);
1041 return 0;
1042 }
1043 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Type")))) {
1044 /* if dup, only the first one will survive */
1045 if (!con->request.http_content_type) {
1046 con->request.http_content_type = ds->value->ptr;
1047 } else {
1048 con->http_status = 400;
1049 con->keep_alive = 0;
1050
1051 if (srv->srvconf.log_request_header_on_error) {
1052 log_error_write(srv, __FILE__, __LINE__, "s",
1053 "duplicate Content-Type-header -> 400");
1054 log_error_write(srv, __FILE__, __LINE__, "Sb",
1055 "request-header:\n",
1056 con->request.request);
1057 }
1058 array_insert_unique(con->request.headers, (data_unset *)ds);
1059 return 0;
1060 }
1061 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Host")))) {
1062 if (reqline_host) {
1063 /* ignore all host: headers as we got the host in the request line */
1064 ds->free((data_unset*) ds);
1065 ds = NULL;
1066 } else if (!con->request.http_host) {
1067 con->request.http_host = ds->value;
1068 } else {
1069 con->http_status = 400;
1070 con->keep_alive = 0;
1071
1072 if (srv->srvconf.log_request_header_on_error) {
1073 log_error_write(srv, __FILE__, __LINE__, "s",
1074 "duplicate Host-header -> 400");
1075 log_error_write(srv, __FILE__, __LINE__, "Sb",
1076 "request-header:\n",
1077 con->request.request);
1078 }
1079 array_insert_unique(con->request.headers, (data_unset *)ds);
1080 return 0;
1081 }
1082 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-Modified-Since")))) {
1083 /* Proxies sometimes send dup headers
1084 * if they are the same we ignore the second
1085 * if not, we raise an error */
1086 if (!con->request.http_if_modified_since) {
1087 con->request.http_if_modified_since = ds->value->ptr;
1088 } else if (0 == strcasecmp(con->request.http_if_modified_since,
1089 ds->value->ptr)) {
1090 /* ignore it if they are the same */
1091
1092 ds->free((data_unset *)ds);
1093 ds = NULL;
1094 } else {
1095 con->http_status = 400;
1096 con->keep_alive = 0;
1097
1098 if (srv->srvconf.log_request_header_on_error) {
1099 log_error_write(srv, __FILE__, __LINE__, "s",
1100 "duplicate If-Modified-Since header -> 400");
1101 log_error_write(srv, __FILE__, __LINE__, "Sb",
1102 "request-header:\n",
1103 con->request.request);
1104 }
1105 array_insert_unique(con->request.headers, (data_unset *)ds);
1106 return 0;
1107 }
1108 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-None-Match")))) {
1109 /* if dup, only the first one will survive */
1110 if (!con->request.http_if_none_match) {
1111 con->request.http_if_none_match = ds->value->ptr;
1112 } else {
1113 ds->free((data_unset*) ds);
1114 ds = NULL;
1115 }
1116 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Range")))) {
1117 if (!con->request.http_range) {
1118 /* bytes=.*-.* */
1119
1120 if (0 == strncasecmp(ds->value->ptr, "bytes=", 6) &&
1121 NULL != strchr(ds->value->ptr+6, '-')) {
1122
1123 /* if dup, only the first one will survive */
1124 con->request.http_range = ds->value->ptr + 6;
1125 }
1126 } else {
1127 con->http_status = 400;
1128 con->keep_alive = 0;
1129
1130 if (srv->srvconf.log_request_header_on_error) {
1131 log_error_write(srv, __FILE__, __LINE__, "s",
1132 "duplicate Range-header -> 400");
1133 log_error_write(srv, __FILE__, __LINE__, "Sb",
1134 "request-header:\n",
1135 con->request.request);
1136 }
1137 array_insert_unique(con->request.headers, (data_unset *)ds);
1138 return 0;
1139 }
1140 }
1141
1142 if (ds) array_insert_unique(con->request.headers, (data_unset *)ds);
1143 } else {
1144 /* empty header-fields are not allowed by HTTP-RFC, we just ignore them */
1145 }
1146 }
1147
1148 first = i+1;
1149 is_key = 1;
1150 value = NULL;
1151 #if 0
1152 /**
1153 * for Bug 1230 keep the key_len a live
1154 */
1155 key_len = 0;
1156 #endif
1157 in_folding = 0;
1158 } else {
1159 if (srv->srvconf.log_request_header_on_error) {
1160 log_error_write(srv, __FILE__, __LINE__, "sbs",
1161 "CR without LF", con->request.request, "-> 400");
1162 }
1163
1164 con->http_status = 400;
1165 con->keep_alive = 0;
1166 con->response.keep_alive = 0;
1167 return 0;
1168 }
1169 break;
1170 case ' ':
1171 case '\t':
1172 /* strip leading WS */
1173 if (value == cur) value = cur+1;
1174 break;
1175 default:
1176 if (http_header_strict ? (*cur >= 0 && *cur < 32) : *cur == '\0') {
1177 if (srv->srvconf.log_request_header_on_error) {
1178 log_error_write(srv, __FILE__, __LINE__, "sds",
1179 "invalid char in header", (int)*cur, "-> 400");
1180 }
1181
1182 con->http_status = 400;
1183 con->keep_alive = 0;
1184
1185 return 0;
1186 }
1187 break;
1188 }
1189 }
1190 }
1191
1192 con->header_len = i;
1193
1194 /* do some post-processing */
1195
1196 if (con->request.http_version == HTTP_VERSION_1_1) {
1197 if (keep_alive_set != HTTP_CONNECTION_CLOSE) {
1198 /* no Connection-Header sent */
1199
1200 /* HTTP/1.1 -> keep-alive default TRUE */
1201 con->keep_alive = 1;
1202 } else {
1203 con->keep_alive = 0;
1204 }
1205
1206 /* RFC 2616, 14.23 */
1207 if (con->request.http_host == NULL ||
1208 buffer_string_is_empty(con->request.http_host)) {
1209 con->http_status = 400;
1210 con->response.keep_alive = 0;
1211 con->keep_alive = 0;
1212
1213 if (srv->srvconf.log_request_header_on_error) {
1214 log_error_write(srv, __FILE__, __LINE__, "s", "HTTP/1.1 but Host missing -> 400");
1215 log_error_write(srv, __FILE__, __LINE__, "Sb",
1216 "request-header:\n",
1217 con->request.request);
1218 }
1219 return 0;
1220 }
1221 } else {
1222 if (keep_alive_set == HTTP_CONNECTION_KEEPALIVE) {
1223 /* no Connection-Header sent */
1224
1225 /* HTTP/1.0 -> keep-alive default FALSE */
1226 con->keep_alive = 1;
1227 } else {
1228 con->keep_alive = 0;
1229 }
1230 }
1231
1232 /* check hostname field if it is set */
1233 if (!buffer_is_empty(con->request.http_host) &&
1234 0 != http_request_host_policy(con, con->request.http_host, con->proto)) {
1235
1236 if (srv->srvconf.log_request_header_on_error) {
1237 log_error_write(srv, __FILE__, __LINE__, "s",
1238 "Invalid Hostname -> 400");
1239 log_error_write(srv, __FILE__, __LINE__, "Sb",
1240 "request-header:\n",
1241 con->request.request);
1242 }
1243
1244 con->http_status = 400;
1245 con->response.keep_alive = 0;
1246 con->keep_alive = 0;
1247
1248 return 0;
1249 }
1250
1251 {
1252 data_string *ds = (data_string *)array_get_element(con->request.headers, "Transfer-Encoding");
1253 if (NULL != ds) {
1254 if (con->request.http_version == HTTP_VERSION_1_0) {
1255 log_error_write(srv, __FILE__, __LINE__, "s",
1256 "HTTP/1.0 with Transfer-Encoding (bad HTTP/1.0 proxy?) -> 400");
1257 con->keep_alive = 0;
1258 con->http_status = 400; /* Bad Request */
1259 return 0;
1260 }
1261
1262 if (0 != strcasecmp(ds->value->ptr, "chunked")) {
1263 /* Transfer-Encoding might contain additional encodings,
1264 * which are not currently supported by lighttpd */
1265 con->keep_alive = 0;
1266 con->http_status = 501; /* Not Implemented */
1267 return 0;
1268 }
1269
1270 /* reset value for Transfer-Encoding, a hop-by-hop header,
1271 * which must not be blindly forwarded to backends */
1272 buffer_reset(ds->value); /* headers with empty values are ignored */
1273
1274 con_length_set = 1;
1275 con->request.content_length = -1;
1276
1277 /*(note: ignore whether or not Content-Length was provided)*/
1278 ds = (data_string *)array_get_element(con->request.headers, "Content-Length");
1279 if (NULL != ds) buffer_reset(ds->value); /* headers with empty values are ignored */
1280 }
1281 }
1282
1283 switch(con->request.http_method) {
1284 case HTTP_METHOD_GET:
1285 case HTTP_METHOD_HEAD:
1286 /* content-length is forbidden for those */
1287 if (con_length_set && con->request.content_length != 0) {
1288 /* content-length is missing */
1289 log_error_write(srv, __FILE__, __LINE__, "s",
1290 "GET/HEAD with content-length -> 400");
1291
1292 con->keep_alive = 0;
1293 con->http_status = 400;
1294 return 0;
1295 }
1296 break;
1297 case HTTP_METHOD_POST:
1298 /* content-length is required for them */
1299 if (!con_length_set) {
1300 /* content-length is missing */
1301 log_error_write(srv, __FILE__, __LINE__, "s",
1302 "POST-request, but content-length missing -> 411");
1303
1304 con->keep_alive = 0;
1305 con->http_status = 411;
1306 return 0;
1307
1308 }
1309 break;
1310 default:
1311 break;
1312 }
1313
1314
1315 /* check if we have read post data */
1316 if (con_length_set) {
1317 /* we have content */
1318 if (con->request.content_length != 0) {
1319 return 1;
1320 }
1321 }
1322
1323 return 0;
1324 }
1325
1326 int http_request_header_finished(server *srv, connection *con) {
1327 UNUSED(srv);
1328
1329 if (buffer_string_length(con->request.request) < 4) return 0;
1330
1331 if (0 == memcmp(con->request.request->ptr + buffer_string_length(con->request.request) - 4, CONST_STR_LEN("\r\n\r\n"))) return 1;
1332 if (NULL != strstr(con->request.request->ptr, "\r\n\r\n")) return 1;
1333
1334 return 0;
1335 }
A fast webserver with minimal memory-footprint (lighttpd)