Fix 0.9 not detected with query_string

This commit is contained in:
Neale Pickett 2013-02-14 16:39:14 -07:00
parent 4e2e46dfdb
commit eb9de7b610
3 changed files with 27 additions and 23 deletions

View File

@ -1,3 +1,6 @@
4.1:
Fix 0.9 not detected with query_string (Alyssa Milburn).
4.0:
Fix directory traversal vulnerability (Alyssa Milburn).

44
eris.c
View File

@ -782,33 +782,31 @@ handle_request()
*(fsp++) = '.';
*(fsp++) = '/';
for (; *p != ' '; p += 1) {
if (! query_string) {
char c = *p;
char c = *p;
switch (c) {
case 0:
badrequest(413, "Request Entity Too Large", "The HTTP request was too long");
case '\n':
badrequest(505, "Version Not Supported", "HTTP/0.9 not supported");
case '?':
query_string = p + 1;
continue;
case '%':
if (p[1] && p[2]) {
int a = fromhex(p[1]);
int b = fromhex(p[2]);
switch (c) {
case 0:
badrequest(413, "Request Entity Too Large", "The HTTP request was too long");
case '\n':
badrequest(505, "Version Not Supported", "HTTP/0.9 not supported");
case '?':
query_string = p + 1;
break;
case '%':
if ((! query_string) && p[1] && p[2]) {
int a = fromhex(p[1]);
int b = fromhex(p[2]);
if ((a >= 0) && (b >= 0)) {
c = (a << 4) | b;
p += 2;
}
if ((a >= 0) && (b >= 0)) {
c = (a << 4) | b;
p += 2;
}
break;
}
}
break;
}
if (fsp - fspath + 1 < sizeof fspath) {
*(fsp++) = c;
}
if ((! query_string) && (fsp - fspath + 1 < sizeof fspath)) {
*(fsp++) = c;
}
}
*fsp = 0;

View File

@ -112,6 +112,9 @@ printf 'GET / HTTP/1.0\n\n' | $HTTPD 2>/dev/null | grep -q 'james' && pass || fa
title "No trailing slash"
printf 'GET /empty HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | d | grep -q '301 Redirect#%.*Location: /empty/#%#%' && pass || fail
title "No version after query_string"
printf 'GET /?\r\n\r\n' | $HTTPD 2>/dev/null | d | grep -q 'HTTP/0.9' && pass || fail
title "Logging /"
(printf 'GET / HTTP/1.1\r\nHost: host\r\n\r\n' |
PROTO=TCP TCPREMOTEPORT=1234 TCPREMOTEIP=10.0.0.2 $HTTPD >/dev/null) 2>&1 | grep -q '^10.0.0.2:1234 200 6 host (null) (null) /$' && pass || fail