1 #include "first.h" 2 3 #include "request.h" 4 #include "keyvalue.h" 5 #include "log.h" 6 7 #include <sys/stat.h> 8 9 #include <limits.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <stdio.h> 13 #include <ctype.h> 14 15 static int request_check_hostname(buffer *host) { 16 enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL; 17 size_t i; 18 int label_len = 0; 19 size_t host_len, hostport_len; 20 char *colon; 21 int is_ip = -1; /* -1 don't know yet, 0 no, 1 yes */ 22 int level = 0; 23 24 /* 25 * hostport = host [ ":" port ] 26 * host = hostname | IPv4address | IPv6address 27 * hostname = *( domainlabel "." ) toplabel [ "." ] 28 * domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum 29 * toplabel = alpha | alpha *( alphanum | "-" ) alphanum 30 * IPv4address = 1*digit "." 1*digit "." 1*digit "." 1*digit 31 * IPv6address = "[" ... "]" 32 * port = *digit 33 */ 34 35 /* IPv6 adress */ 36 if (host->ptr[0] == '[') { 37 char *c = host->ptr + 1; 38 int colon_cnt = 0; 39 40 /* check the address inside [...] */ 41 for (; *c && *c != ']'; c++) { 42 if (*c == ':') { 43 if (++colon_cnt > 7) { 44 return -1; 45 } 46 } else if (!light_isxdigit(*c) && '.' != *c) { 47 return -1; 48 } 49 } 50 51 /* missing ] */ 52 if (!*c) { 53 return -1; 54 } 55 56 /* check port */ 57 if (*(c+1) == ':') { 58 for (c += 2; *c; c++) { 59 if (!light_isdigit(*c)) { 60 return -1; 61 } 62 } 63 } 64 else if ('\0' != *(c+1)) { 65 /* only a port is allowed to follow [...] */ 66 return -1; 67 } 68 return 0; 69 } 70 71 hostport_len = host_len = buffer_string_length(host); 72 73 if (NULL != (colon = memchr(host->ptr, ':', host_len))) { 74 char *c = colon + 1; 75 76 /* check portnumber */ 77 for (; *c; c++) { 78 if (!light_isdigit(*c)) return -1; 79 } 80 81 /* remove the port from the host-len */ 82 host_len = colon - host->ptr; 83 } 84 85 /* Host is empty */ 86 if (host_len == 0) return -1; 87 88 /* if the hostname ends in a "." strip it */ 89 if (host->ptr[host_len-1] == '.') { 90 /* shift port info one left */ 91 if (NULL != colon) memmove(colon-1, colon, hostport_len - host_len); 92 buffer_string_set_length(host, --hostport_len); 93 if (--host_len == 0) return -1; 94 } 95 96 97 /* scan from the right and skip the \0 */ 98 for (i = host_len; i-- > 0; ) { 99 const char c = host->ptr[i]; 100 101 switch (stage) { 102 case TOPLABEL: 103 if (c == '.') { 104 /* only switch stage, if this is not the last character */ 105 if (i != host_len - 1) { 106 if (label_len == 0) { 107 return -1; 108 } 109 110 /* check the first character at right of the dot */ 111 if (is_ip == 0) { 112 if (!light_isalnum(host->ptr[i+1])) { 113 return -1; 114 } 115 } else if (!light_isdigit(host->ptr[i+1])) { 116 is_ip = 0; 117 } else if ('-' == host->ptr[i+1]) { 118 return -1; 119 } else { 120 /* just digits */ 121 is_ip = 1; 122 } 123 124 stage = DOMAINLABEL; 125 126 label_len = 0; 127 level++; 128 } else if (i == 0) { 129 /* just a dot and nothing else is evil */ 130 return -1; 131 } 132 } else if (i == 0) { 133 /* the first character of the hostname */ 134 if (!light_isalnum(c)) { 135 return -1; 136 } 137 label_len++; 138 } else { 139 if (c != '-' && !light_isalnum(c)) { 140 return -1; 141 } 142 if (is_ip == -1) { 143 if (!light_isdigit(c)) is_ip = 0; 144 } 145 label_len++; 146 } 147 148 break; 149 case DOMAINLABEL: 150 if (is_ip == 1) { 151 if (c == '.') { 152 if (label_len == 0) { 153 return -1; 154 } 155 156 label_len = 0; 157 level++; 158 } else if (!light_isdigit(c)) { 159 return -1; 160 } else { 161 label_len++; 162 } 163 } else { 164 if (c == '.') { 165 if (label_len == 0) { 166 return -1; 167 } 168 169 /* c is either - or alphanum here */ 170 if ('-' == host->ptr[i+1]) { 171 return -1; 172 } 173 174 label_len = 0; 175 level++; 176 } else if (i == 0) { 177 if (!light_isalnum(c)) { 178 return -1; 179 } 180 label_len++; 181 } else { 182 if (c != '-' && !light_isalnum(c)) { 183 return -1; 184 } 185 label_len++; 186 } 187 } 188 189 break; 190 } 191 } 192 193 /* a IP has to consist of 4 parts */ 194 if (is_ip == 1 && level != 3) { 195 return -1; 196 } 197 198 if (label_len == 0) { 199 return -1; 200 } 201 202 return 0; 203 } 204 205 int http_request_host_normalize(buffer *b) { 206 /* 207 * check for and canonicalize numeric IP address and portnum (optional) 208 * (IP address may be followed by ":portnum" (optional)) 209 * - IPv6: "[...]" 210 * - IPv4: "x.x.x.x" 211 * - IPv4: 12345678 (32-bit decimal number) 212 * - IPv4: 012345678 (32-bit octal number) 213 * - IPv4: 0x12345678 (32-bit hex number) 214 * 215 * allow any chars (except ':' and '\0' and stray '[' or ']') 216 * (other code may check chars more strictly or more pedantically) 217 * ':' delimits (optional) port at end of string 218 * "[]" wraps IPv6 address literal 219 * '\0' should have been rejected earlier were it present 220 * 221 * any chars includes, but is not limited to: 222 * - allow '-' any where, even at beginning of word 223 * (security caution: might be confused for cmd flag if passed to shell) 224 * - allow all-digit TLDs 225 * (might be mistaken for IPv4 addr by inet_aton() 226 * unless non-digits appear in subdomain) 227 */ 228 229 /* Note: not using getaddrinfo() since it does not support "[]" around IPv6 230 * and is not as lenient as inet_aton() and inet_addr() for IPv4 strings. 231 * Not using inet_pton() (when available) on IPv4 for similar reasons. */ 232 233 const char * const p = b->ptr; 234 const size_t blen = buffer_string_length(b); 235 long port = 0; 236 237 if (*p != '[') { 238 char * const colon = (char *)memchr(p, ':', blen); 239 if (colon) { 240 if (*p == ':') return -1; /*(empty host then port, or naked IPv6)*/ 241 if (colon[1] != '\0') { 242 char *e; 243 port = strtol(colon+1, &e, 0); /*(allow decimal, octal, hex)*/ 244 if (0 < port && port <= USHRT_MAX && *e == '\0') { 245 /* valid port */ 246 } else { 247 return -1; 248 } 249 } /*(else ignore stray colon at string end)*/ 250 buffer_string_set_length(b, (size_t)(colon - p)); /*(remove port str)*/ 251 } 252 253 if (light_isdigit(*p)) { 254 /* (IPv4 address literal or domain starting w/ digit (e.g. 3com))*/ 255 struct in_addr addr; 256 #if defined(HAVE_INET_ATON) /*(Windows does not provide inet_aton())*/ 257 if (0 != inet_aton(p, &addr)) 258 #else 259 if ((addr.s_addr = inet_addr(p)) != INADDR_NONE) 260 #endif 261 { 262 #if defined(HAVE_INET_PTON)/*(expect inet_ntop() if inet_pton())*/ 263 #ifndef INET_ADDRSTRLEN 264 #define INET_ADDRSTRLEN 16 265 #endif 266 char buf[INET_ADDRSTRLEN]; 267 inet_ntop(AF_INET, (const void *)&addr, buf, sizeof(buf)); 268 buffer_copy_string(b, buf); 269 #else 270 buffer_copy_string(b, inet_ntoa(addr)); /*(not thread-safe)*/ 271 #endif 272 } 273 } 274 } else { /* IPv6 addr */ 275 #if defined(HAVE_IPV6) && defined(HAVE_INET_PTON) 276 277 struct in6_addr addr; 278 char *bracket = b->ptr+blen-1; 279 int rc; 280 char buf[INET6_ADDRSTRLEN]; 281 if (blen <= 2) return -1; /*(invalid "[]")*/ 282 if (*bracket != ']') { 283 bracket = (char *)memchr(b->ptr+1, ']', blen-1); 284 if (NULL == bracket || bracket[1] != ':' || bracket - b->ptr == 1){ 285 return -1; 286 } 287 if (bracket[2] != '\0') { /*(ignore stray colon at string end)*/ 288 char *e; 289 port = strtol(bracket+2, &e, 0); /*(allow decimal, octal, hex)*/ 290 if (0 < port && port <= USHRT_MAX && *e == '\0') { 291 /* valid port */ 292 } else { 293 return -1; 294 } 295 } 296 } 297 298 *bracket = '\0';/*(terminate IPv6 string)*/ 299 rc = inet_pton(AF_INET6, b->ptr+1, &addr); 300 *bracket = ']'; /*(restore bracket)*/ 301 if (1 != rc) return -1; 302 303 inet_ntop(AF_INET6,(const void *)&addr, buf, sizeof(buf)); 304 buffer_string_set_length(b, 1); /* truncate after '[' */ 305 buffer_append_string(b, buf); 306 buffer_append_string_len(b, CONST_STR_LEN("]")); 307 308 #else 309 310 return -1; 311 312 #endif 313 } 314 315 if (port) { 316 buffer_append_string_len(b, CONST_STR_LEN(":")); 317 buffer_append_int(b, (int)port); 318 } 319 320 return 0; 321 } 322 323 #if 0 324 #define DUMP_HEADER 325 #endif 326 327 static int http_request_split_value(array *vals, buffer *b) { 328 size_t i, len; 329 int state = 0; 330 331 const char *current; 332 const char *token_start = NULL, *token_end = NULL; 333 /* 334 * parse 335 * 336 * val1, val2, val3, val4 337 * 338 * into a array (more or less a explode() incl. striping of whitespaces 339 */ 340 341 if (buffer_string_is_empty(b)) return 0; 342 343 current = b->ptr; 344 len = buffer_string_length(b); 345 for (i = 0; i <= len; ++i, ++current) { 346 data_string *ds; 347 348 switch (state) { 349 case 0: /* find start of a token */ 350 switch (*current) { 351 case ' ': 352 case '\t': /* skip white space */ 353 case ',': /* skip empty token */ 354 break; 355 case '\0': /* end of string */ 356 return 0; 357 default: 358 /* found real data, switch to state 1 to find the end of the token */ 359 token_start = token_end = current; 360 state = 1; 361 break; 362 } 363 break; 364 case 1: /* find end of token and last non white space character */ 365 switch (*current) { 366 case ' ': 367 case '\t': 368 /* space - don't update token_end */ 369 break; 370 case ',': 371 case '\0': /* end of string also marks the end of a token */ 372 if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { 373 ds = data_string_init(); 374 } 375 376 buffer_copy_string_len(ds->value, token_start, token_end-token_start+1); 377 array_insert_unique(vals, (data_unset *)ds); 378 379 state = 0; 380 break; 381 default: 382 /* no white space, update token_end to include current character */ 383 token_end = current; 384 break; 385 } 386 break; 387 } 388 } 389 390 return 0; 391 } 392 393 static int request_uri_is_valid_char(unsigned char c) { 394 if (c <= 32) return 0; 395 if (c == 127) return 0; 396 if (c == 255) return 0; 397 398 return 1; 399 } 400 401 int http_request_parse(server *srv, connection *con) { 402 char *uri = NULL, *proto = NULL, *method = NULL, con_length_set; 403 int is_key = 1, key_len = 0, is_ws_after_key = 0, in_folding; 404 char *value = NULL, *key = NULL; 405 char *reqline_host = NULL; 406 int reqline_hostlen = 0; 407 408 enum { HTTP_CONNECTION_UNSET, HTTP_CONNECTION_KEEPALIVE, HTTP_CONNECTION_CLOSE } keep_alive_set = HTTP_CONNECTION_UNSET; 409 410 int line = 0; 411 412 int request_line_stage = 0; 413 size_t i, first, ilen; 414 415 int done = 0; 416 const unsigned int http_header_strict = (con->conf.http_parseopts & HTTP_PARSEOPT_HEADER_STRICT); 417 418 /* 419 * Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$" 420 * Option : "^([-a-zA-Z]+): (.+)$" 421 * End : "^$" 422 */ 423 424 if (con->conf.log_request_header) { 425 log_error_write(srv, __FILE__, __LINE__, "sdsdSb", 426 "fd:", con->fd, 427 "request-len:", buffer_string_length(con->request.request), 428 "\n", con->request.request); 429 } 430 431 if (con->request_count > 1 && 432 con->request.request->ptr[0] == '\r' && 433 con->request.request->ptr[1] == '\n') { 434 /* we are in keep-alive and might get \r\n after a previous POST request.*/ 435 436 buffer_copy_string_len(con->parse_request, con->request.request->ptr + 2, buffer_string_length(con->request.request) - 2); 437 } else { 438 /* fill the local request buffer */ 439 buffer_copy_buffer(con->parse_request, con->request.request); 440 } 441 442 keep_alive_set = 0; 443 con_length_set = 0; 444 445 /* parse the first line of the request 446 * 447 * should be: 448 * 449 * <method> <uri> <protocol>\r\n 450 * */ 451 ilen = buffer_string_length(con->parse_request); 452 for (i = 0, first = 0; i < ilen && line == 0; i++) { 453 switch(con->parse_request->ptr[i]) { 454 case '\r': 455 if (con->parse_request->ptr[i+1] == '\n') { 456 http_method_t r; 457 char *nuri = NULL; 458 size_t j, jlen; 459 460 /* \r\n -> \0\0 */ 461 con->parse_request->ptr[i] = '\0'; 462 con->parse_request->ptr[i+1] = '\0'; 463 464 buffer_copy_string_len(con->request.request_line, con->parse_request->ptr, i); 465 466 if (request_line_stage != 2) { 467 con->http_status = 400; 468 con->response.keep_alive = 0; 469 con->keep_alive = 0; 470 471 if (srv->srvconf.log_request_header_on_error) { 472 log_error_write(srv, __FILE__, __LINE__, "s", "incomplete request line -> 400"); 473 log_error_write(srv, __FILE__, __LINE__, "Sb", 474 "request-header:\n", 475 con->request.request); 476 } 477 return 0; 478 } 479 480 proto = con->parse_request->ptr + first; 481 482 *(uri - 1) = '\0'; 483 *(proto - 1) = '\0'; 484 485 /* we got the first one :) */ 486 if (HTTP_METHOD_UNSET == (r = get_http_method_key(method))) { 487 con->http_status = 501; 488 con->response.keep_alive = 0; 489 con->keep_alive = 0; 490 491 if (srv->srvconf.log_request_header_on_error) { 492 log_error_write(srv, __FILE__, __LINE__, "s", "unknown http-method -> 501"); 493 log_error_write(srv, __FILE__, __LINE__, "Sb", 494 "request-header:\n", 495 con->request.request); 496 } 497 498 return 0; 499 } 500 501 con->request.http_method = r; 502 503 /* 504 * RFC2616 says: 505 * 506 * HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT 507 * 508 * */ 509 if (0 == strncmp(proto, "HTTP/", sizeof("HTTP/") - 1)) { 510 char * major = proto + sizeof("HTTP/") - 1; 511 char * minor = strchr(major, '.'); 512 char *err = NULL; 513 int major_num = 0, minor_num = 0; 514 515 int invalid_version = 0; 516 517 if (NULL == minor || /* no dot */ 518 minor == major || /* no major */ 519 *(minor + 1) == '\0' /* no minor */) { 520 invalid_version = 1; 521 } else { 522 *minor = '\0'; 523 major_num = strtol(major, &err, 10); 524 525 if (*err != '\0') invalid_version = 1; 526 527 *minor++ = '.'; 528 minor_num = strtol(minor, &err, 10); 529 530 if (*err != '\0') invalid_version = 1; 531 } 532 533 if (invalid_version) { 534 con->http_status = 400; 535 con->keep_alive = 0; 536 537 if (srv->srvconf.log_request_header_on_error) { 538 log_error_write(srv, __FILE__, __LINE__, "s", "unknown protocol -> 400"); 539 log_error_write(srv, __FILE__, __LINE__, "Sb", 540 "request-header:\n", 541 con->request.request); 542 } 543 return 0; 544 } 545 546 if (major_num == 1 && minor_num == 1) { 547 con->request.http_version = con->conf.allow_http11 ? HTTP_VERSION_1_1 : HTTP_VERSION_1_0; 548 } else if (major_num == 1 && minor_num == 0) { 549 con->request.http_version = HTTP_VERSION_1_0; 550 } else { 551 con->http_status = 505; 552 553 if (srv->srvconf.log_request_header_on_error) { 554 log_error_write(srv, __FILE__, __LINE__, "s", "unknown HTTP version -> 505"); 555 log_error_write(srv, __FILE__, __LINE__, "Sb", 556 "request-header:\n", 557 con->request.request); 558 } 559 return 0; 560 } 561 } else { 562 con->http_status = 400; 563 con->keep_alive = 0; 564 565 if (srv->srvconf.log_request_header_on_error) { 566 log_error_write(srv, __FILE__, __LINE__, "s", "unknown protocol -> 400"); 567 log_error_write(srv, __FILE__, __LINE__, "Sb", 568 "request-header:\n", 569 con->request.request); 570 } 571 return 0; 572 } 573 574 if (0 == strncmp(uri, "http://", 7) && 575 NULL != (nuri = strchr(uri + 7, '/'))) { 576 reqline_host = uri + 7; 577 reqline_hostlen = nuri - reqline_host; 578 579 buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1); 580 } else if (0 == strncmp(uri, "https://", 8) && 581 NULL != (nuri = strchr(uri + 8, '/'))) { 582 reqline_host = uri + 8; 583 reqline_hostlen = nuri - reqline_host; 584 585 buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1); 586 } else { 587 /* everything looks good so far */ 588 buffer_copy_string_len(con->request.uri, uri, proto - uri - 1); 589 } 590 591 /* check uri for invalid characters */ 592 jlen = buffer_string_length(con->request.uri); 593 if (http_header_strict) { 594 for (j = 0; j < jlen && request_uri_is_valid_char(con->request.uri->ptr[j]); j++) ; 595 } else { 596 char *z = memchr(con->request.uri->ptr, '\0', jlen); 597 j = (NULL == z) ? jlen : (size_t)(z - con->request.uri->ptr); 598 } 599 if (j < jlen) { 600 con->http_status = 400; 601 con->keep_alive = 0; 602 603 if (srv->srvconf.log_request_header_on_error) { 604 unsigned char buf[2]; 605 buf[0] = con->request.uri->ptr[j]; 606 buf[1] = '\0'; 607 608 if (con->request.uri->ptr[j] > 32 && 609 con->request.uri->ptr[j] != 127) { 610 /* the character is printable -> print it */ 611 log_error_write(srv, __FILE__, __LINE__, "ss", 612 "invalid character in URI -> 400", 613 buf); 614 } else { 615 /* a control-character, print ascii-code */ 616 log_error_write(srv, __FILE__, __LINE__, "sd", 617 "invalid character in URI -> 400", 618 con->request.uri->ptr[j]); 619 } 620 621 log_error_write(srv, __FILE__, __LINE__, "Sb", 622 "request-header:\n", 623 con->request.request); 624 } 625 626 return 0; 627 } 628 629 buffer_copy_buffer(con->request.orig_uri, con->request.uri); 630 631 con->http_status = 0; 632 633 i++; 634 line++; 635 first = i+1; 636 } 637 break; 638 case ' ': 639 switch(request_line_stage) { 640 case 0: 641 /* GET|POST|... */ 642 method = con->parse_request->ptr + first; 643 first = i + 1; 644 break; 645 case 1: 646 /* /foobar/... */ 647 uri = con->parse_request->ptr + first; 648 first = i + 1; 649 break; 650 default: 651 /* ERROR, one space to much */ 652 con->http_status = 400; 653 con->response.keep_alive = 0; 654 con->keep_alive = 0; 655 656 if (srv->srvconf.log_request_header_on_error) { 657 log_error_write(srv, __FILE__, __LINE__, "s", "overlong request line -> 400"); 658 log_error_write(srv, __FILE__, __LINE__, "Sb", 659 "request-header:\n", 660 con->request.request); 661 } 662 return 0; 663 } 664 665 request_line_stage++; 666 break; 667 } 668 } 669 670 in_folding = 0; 671 672 if (buffer_string_is_empty(con->request.uri)) { 673 con->http_status = 400; 674 con->response.keep_alive = 0; 675 con->keep_alive = 0; 676 677 if (srv->srvconf.log_request_header_on_error) { 678 log_error_write(srv, __FILE__, __LINE__, "s", "no uri specified -> 400"); 679 log_error_write(srv, __FILE__, __LINE__, "Sb", 680 "request-header:\n", 681 con->request.request); 682 } 683 return 0; 684 } 685 686 if (reqline_host) { 687 /* Insert as host header */ 688 data_string *ds; 689 690 if (NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) { 691 ds = data_string_init(); 692 } 693 694 buffer_copy_string_len(ds->key, CONST_STR_LEN("Host")); 695 buffer_copy_string_len(ds->value, reqline_host, reqline_hostlen); 696 array_insert_unique(con->request.headers, (data_unset *)ds); 697 con->request.http_host = ds->value; 698 } 699 700 for (; i <= ilen && !done; i++) { 701 char *cur = con->parse_request->ptr + i; 702 703 if (is_key) { 704 size_t j; 705 int got_colon = 0; 706 707 /** 708 * 1*<any CHAR except CTLs or separators> 709 * CTLs == 0-31 + 127, CHAR = 7-bit ascii (0..127) 710 * 711 */ 712 switch(*cur) { 713 case ':': 714 is_key = 0; 715 716 value = cur + 1; 717 718 if (is_ws_after_key == 0) { 719 key_len = i - first; 720 } 721 is_ws_after_key = 0; 722 723 break; 724 case '(': 725 case ')': 726 case '<': 727 case '>': 728 case '@': 729 case ',': 730 case ';': 731 case '\\': 732 case '\"': 733 case '/': 734 case '[': 735 case ']': 736 case '?': 737 case '=': 738 case '{': 739 case '}': 740 con->http_status = 400; 741 con->keep_alive = 0; 742 con->response.keep_alive = 0; 743 744 if (srv->srvconf.log_request_header_on_error) { 745 log_error_write(srv, __FILE__, __LINE__, "sbsds", 746 "invalid character in key", con->request.request, cur, *cur, "-> 400"); 747 748 log_error_write(srv, __FILE__, __LINE__, "Sb", 749 "request-header:\n", 750 con->request.request); 751 } 752 return 0; 753 case ' ': 754 case '\t': 755 if (i == first) { 756 is_key = 0; 757 in_folding = 1; 758 value = cur; 759 760 break; 761 } 762 763 764 key_len = i - first; 765 766 /* skip every thing up to the : */ 767 for (j = 1; !got_colon; j++) { 768 switch(con->parse_request->ptr[j + i]) { 769 case ' ': 770 case '\t': 771 /* skip WS */ 772 continue; 773 case ':': 774 /* ok, done; handle the colon the usual way */ 775 776 i += j - 1; 777 got_colon = 1; 778 is_ws_after_key = 1; /* we already know the key length */ 779 780 break; 781 default: 782 /* error */ 783 784 if (srv->srvconf.log_request_header_on_error) { 785 log_error_write(srv, __FILE__, __LINE__, "s", "WS character in key -> 400"); 786 log_error_write(srv, __FILE__, __LINE__, "Sb", 787 "request-header:\n", 788 con->request.request); 789 } 790 791 con->http_status = 400; 792 con->response.keep_alive = 0; 793 con->keep_alive = 0; 794 795 return 0; 796 } 797 } 798 799 break; 800 case '\r': 801 if (con->parse_request->ptr[i+1] == '\n' && i == first) { 802 /* End of Header */ 803 con->parse_request->ptr[i] = '\0'; 804 con->parse_request->ptr[i+1] = '\0'; 805 806 i++; 807 808 done = 1; 809 } else { 810 if (srv->srvconf.log_request_header_on_error) { 811 log_error_write(srv, __FILE__, __LINE__, "s", "CR without LF -> 400"); 812 log_error_write(srv, __FILE__, __LINE__, "Sb", 813 "request-header:\n", 814 con->request.request); 815 } 816 817 con->http_status = 400; 818 con->keep_alive = 0; 819 con->response.keep_alive = 0; 820 return 0; 821 } 822 break; 823 default: 824 if (http_header_strict ? (*cur < 32 || ((unsigned char)*cur) >= 127) : *cur == '\0') { 825 con->http_status = 400; 826 con->keep_alive = 0; 827 con->response.keep_alive = 0; 828 829 if (srv->srvconf.log_request_header_on_error) { 830 log_error_write(srv, __FILE__, __LINE__, "sbsds", 831 "invalid character in key", con->request.request, cur, *cur, "-> 400"); 832 833 log_error_write(srv, __FILE__, __LINE__, "Sb", 834 "request-header:\n", 835 con->request.request); 836 } 837 838 return 0; 839 } 840 /* ok */ 841 break; 842 } 843 } else { 844 switch(*cur) { 845 case '\r': 846 if (con->parse_request->ptr[i+1] == '\n') { 847 data_string *ds = NULL; 848 849 /* End of Headerline */ 850 con->parse_request->ptr[i] = '\0'; 851 con->parse_request->ptr[i+1] = '\0'; 852 853 if (in_folding) { 854 buffer *key_b; 855 /** 856 * we use a evil hack to handle the line-folding 857 * 858 * As array_insert_unique() deletes 'ds' in the case of a duplicate 859 * ds points somewhere and we get a evil crash. As a solution we keep the old 860 * "key" and get the current value from the hash and append us 861 * 862 * */ 863 864 if (!key || !key_len) { 865 /* 400 */ 866 867 if (srv->srvconf.log_request_header_on_error) { 868 log_error_write(srv, __FILE__, __LINE__, "s", "WS at the start of first line -> 400"); 869 870 log_error_write(srv, __FILE__, __LINE__, "Sb", 871 "request-header:\n", 872 con->request.request); 873 } 874 875 876 con->http_status = 400; 877 con->keep_alive = 0; 878 con->response.keep_alive = 0; 879 return 0; 880 } 881 882 key_b = buffer_init(); 883 buffer_copy_string_len(key_b, key, key_len); 884 885 if (NULL != (ds = (data_string *)array_get_element(con->request.headers, key_b->ptr))) { 886 buffer_append_string(ds->value, value); 887 } 888 889 buffer_free(key_b); 890 } else { 891 int s_len; 892 key = con->parse_request->ptr + first; 893 894 s_len = cur - value; 895 896 /* strip trailing white-spaces */ 897 for (; s_len > 0 && 898 (value[s_len - 1] == ' ' || 899 value[s_len - 1] == '\t'); s_len--); 900 901 value[s_len] = '\0'; 902 903 if (s_len > 0) { 904 int cmp = 0; 905 if (NULL == (ds = (data_string *)array_get_unused_element(con->request.headers, TYPE_STRING))) { 906 ds = data_string_init(); 907 } 908 buffer_copy_string_len(ds->key, key, key_len); 909 buffer_copy_string_len(ds->value, value, s_len); 910 911 /* retreive values 912 * 913 * 914 * the list of options is sorted to simplify the search 915 */ 916 917 if (0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Connection")))) { 918 array *vals; 919 size_t vi; 920 921 /* split on , */ 922 923 vals = srv->split_vals; 924 925 array_reset(vals); 926 927 http_request_split_value(vals, ds->value); 928 929 for (vi = 0; vi < vals->used; vi++) { 930 data_string *dsv = (data_string *)vals->data[vi]; 931 932 if (0 == buffer_caseless_compare(CONST_BUF_LEN(dsv->value), CONST_STR_LEN("keep-alive"))) { 933 keep_alive_set = HTTP_CONNECTION_KEEPALIVE; 934 935 break; 936 } else if (0 == buffer_caseless_compare(CONST_BUF_LEN(dsv->value), CONST_STR_LEN("close"))) { 937 keep_alive_set = HTTP_CONNECTION_CLOSE; 938 939 break; 940 } 941 } 942 943 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Length")))) { 944 char *err; 945 unsigned long int r; 946 size_t j, jlen; 947 948 if (con_length_set) { 949 con->http_status = 400; 950 con->keep_alive = 0; 951 952 if (srv->srvconf.log_request_header_on_error) { 953 log_error_write(srv, __FILE__, __LINE__, "s", 954 "duplicate Content-Length-header -> 400"); 955 log_error_write(srv, __FILE__, __LINE__, "Sb", 956 "request-header:\n", 957 con->request.request); 958 } 959 array_insert_unique(con->request.headers, (data_unset *)ds); 960 return 0; 961 } 962 963 jlen = buffer_string_length(ds->value); 964 for (j = 0; j < jlen; j++) { 965 char c = ds->value->ptr[j]; 966 if (!isdigit((unsigned char)c)) { 967 log_error_write(srv, __FILE__, __LINE__, "sbs", 968 "content-length broken:", ds->value, "-> 400"); 969 970 con->http_status = 400; 971 con->keep_alive = 0; 972 973 array_insert_unique(con->request.headers, (data_unset *)ds); 974 return 0; 975 } 976 } 977 978 r = strtoul(ds->value->ptr, &err, 10); 979 980 if (*err == '\0') { 981 con_length_set = 1; 982 con->request.content_length = r; 983 } else { 984 log_error_write(srv, __FILE__, __LINE__, "sbs", 985 "content-length broken:", ds->value, "-> 400"); 986 987 con->http_status = 400; 988 con->keep_alive = 0; 989 990 array_insert_unique(con->request.headers, (data_unset *)ds); 991 return 0; 992 } 993 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Content-Type")))) { 994 /* if dup, only the first one will survive */ 995 if (!con->request.http_content_type) { 996 con->request.http_content_type = ds->value->ptr; 997 } else { 998 con->http_status = 400; 999 con->keep_alive = 0; 1000 1001 if (srv->srvconf.log_request_header_on_error) { 1002 log_error_write(srv, __FILE__, __LINE__, "s", 1003 "duplicate Content-Type-header -> 400"); 1004 log_error_write(srv, __FILE__, __LINE__, "Sb", 1005 "request-header:\n", 1006 con->request.request); 1007 } 1008 array_insert_unique(con->request.headers, (data_unset *)ds); 1009 return 0; 1010 } 1011 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Expect")))) { 1012 /* HTTP 2616 8.2.3 1013 * Expect: 100-continue 1014 * 1015 * -> (10.1.1) 100 (read content, process request, send final status-code) 1016 * -> (10.4.18) 417 (close) 1017 * 1018 * (not handled at all yet, we always send 417 here) 1019 * 1020 * What has to be added ? 1021 * 1. handling of chunked request body 1022 * 2. out-of-order sending from the HTTP/1.1 100 Continue 1023 * header 1024 * 1025 */ 1026 1027 if (srv->srvconf.reject_expect_100_with_417 && 0 == buffer_caseless_compare(CONST_BUF_LEN(ds->value), CONST_STR_LEN("100-continue"))) { 1028 con->http_status = 417; 1029 con->keep_alive = 0; 1030 array_insert_unique(con->request.headers, (data_unset *)ds); 1031 return 0; 1032 } 1033 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Host")))) { 1034 if (reqline_host) { 1035 /* ignore all host: headers as we got the host in the request line */ 1036 ds->free((data_unset*) ds); 1037 ds = NULL; 1038 } else if (!con->request.http_host) { 1039 con->request.http_host = ds->value; 1040 } else { 1041 con->http_status = 400; 1042 con->keep_alive = 0; 1043 1044 if (srv->srvconf.log_request_header_on_error) { 1045 log_error_write(srv, __FILE__, __LINE__, "s", 1046 "duplicate Host-header -> 400"); 1047 log_error_write(srv, __FILE__, __LINE__, "Sb", 1048 "request-header:\n", 1049 con->request.request); 1050 } 1051 array_insert_unique(con->request.headers, (data_unset *)ds); 1052 return 0; 1053 } 1054 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-Modified-Since")))) { 1055 /* Proxies sometimes send dup headers 1056 * if they are the same we ignore the second 1057 * if not, we raise an error */ 1058 if (!con->request.http_if_modified_since) { 1059 con->request.http_if_modified_since = ds->value->ptr; 1060 } else if (0 == strcasecmp(con->request.http_if_modified_since, 1061 ds->value->ptr)) { 1062 /* ignore it if they are the same */ 1063 1064 ds->free((data_unset *)ds); 1065 ds = NULL; 1066 } else { 1067 con->http_status = 400; 1068 con->keep_alive = 0; 1069 1070 if (srv->srvconf.log_request_header_on_error) { 1071 log_error_write(srv, __FILE__, __LINE__, "s", 1072 "duplicate If-Modified-Since header -> 400"); 1073 log_error_write(srv, __FILE__, __LINE__, "Sb", 1074 "request-header:\n", 1075 con->request.request); 1076 } 1077 array_insert_unique(con->request.headers, (data_unset *)ds); 1078 return 0; 1079 } 1080 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-None-Match")))) { 1081 /* if dup, only the first one will survive */ 1082 if (!con->request.http_if_none_match) { 1083 con->request.http_if_none_match = ds->value->ptr; 1084 } else { 1085 ds->free((data_unset*) ds); 1086 ds = NULL; 1087 } 1088 } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Range")))) { 1089 if (!con->request.http_range) { 1090 /* bytes=.*-.* */ 1091 1092 if (0 == strncasecmp(ds->value->ptr, "bytes=", 6) && 1093 NULL != strchr(ds->value->ptr+6, '-')) { 1094 1095 /* if dup, only the first one will survive */ 1096 con->request.http_range = ds->value->ptr + 6; 1097 } 1098 } else { 1099 con->http_status = 400; 1100 con->keep_alive = 0; 1101 1102 if (srv->srvconf.log_request_header_on_error) { 1103 log_error_write(srv, __FILE__, __LINE__, "s", 1104 "duplicate Range-header -> 400"); 1105 log_error_write(srv, __FILE__, __LINE__, "Sb", 1106 "request-header:\n", 1107 con->request.request); 1108 } 1109 array_insert_unique(con->request.headers, (data_unset *)ds); 1110 return 0; 1111 } 1112 } 1113 1114 if (ds) array_insert_unique(con->request.headers, (data_unset *)ds); 1115 } else { 1116 /* empty header-fields are not allowed by HTTP-RFC, we just ignore them */ 1117 } 1118 } 1119 1120 i++; 1121 first = i+1; 1122 is_key = 1; 1123 value = NULL; 1124 #if 0 1125 /** 1126 * for Bug 1230 keep the key_len a live 1127 */ 1128 key_len = 0; 1129 #endif 1130 in_folding = 0; 1131 } else { 1132 if (srv->srvconf.log_request_header_on_error) { 1133 log_error_write(srv, __FILE__, __LINE__, "sbs", 1134 "CR without LF", con->request.request, "-> 400"); 1135 } 1136 1137 con->http_status = 400; 1138 con->keep_alive = 0; 1139 con->response.keep_alive = 0; 1140 return 0; 1141 } 1142 break; 1143 case ' ': 1144 case '\t': 1145 /* strip leading WS */ 1146 if (value == cur) value = cur+1; 1147 break; 1148 default: 1149 if (http_header_strict ? (*cur >= 0 && *cur < 32) : *cur == '\0') { 1150 if (srv->srvconf.log_request_header_on_error) { 1151 log_error_write(srv, __FILE__, __LINE__, "sds", 1152 "invalid char in header", (int)*cur, "-> 400"); 1153 } 1154 1155 con->http_status = 400; 1156 con->keep_alive = 0; 1157 1158 return 0; 1159 } 1160 break; 1161 } 1162 } 1163 } 1164 1165 con->header_len = i; 1166 1167 /* do some post-processing */ 1168 1169 if (con->request.http_version == HTTP_VERSION_1_1) { 1170 if (keep_alive_set != HTTP_CONNECTION_CLOSE) { 1171 /* no Connection-Header sent */ 1172 1173 /* HTTP/1.1 -> keep-alive default TRUE */ 1174 con->keep_alive = 1; 1175 } else { 1176 con->keep_alive = 0; 1177 } 1178 1179 /* RFC 2616, 14.23 */ 1180 if (con->request.http_host == NULL || 1181 buffer_string_is_empty(con->request.http_host)) { 1182 con->http_status = 400; 1183 con->response.keep_alive = 0; 1184 con->keep_alive = 0; 1185 1186 if (srv->srvconf.log_request_header_on_error) { 1187 log_error_write(srv, __FILE__, __LINE__, "s", "HTTP/1.1 but Host missing -> 400"); 1188 log_error_write(srv, __FILE__, __LINE__, "Sb", 1189 "request-header:\n", 1190 con->request.request); 1191 } 1192 return 0; 1193 } 1194 } else { 1195 if (keep_alive_set == HTTP_CONNECTION_KEEPALIVE) { 1196 /* no Connection-Header sent */ 1197 1198 /* HTTP/1.0 -> keep-alive default FALSE */ 1199 con->keep_alive = 1; 1200 } else { 1201 con->keep_alive = 0; 1202 } 1203 } 1204 1205 /* check hostname field if it is set */ 1206 if (!buffer_is_empty(con->request.http_host) && 1207 (((con->conf.http_parseopts & HTTP_PARSEOPT_HOST_STRICT) && 1208 0 != request_check_hostname(con->request.http_host)) 1209 || ((con->conf.http_parseopts & HTTP_PARSEOPT_HOST_NORMALIZE) && 1210 0 != http_request_host_normalize(con->request.http_host)))) { 1211 1212 if (srv->srvconf.log_request_header_on_error) { 1213 log_error_write(srv, __FILE__, __LINE__, "s", 1214 "Invalid Hostname -> 400"); 1215 log_error_write(srv, __FILE__, __LINE__, "Sb", 1216 "request-header:\n", 1217 con->request.request); 1218 } 1219 1220 con->http_status = 400; 1221 con->response.keep_alive = 0; 1222 con->keep_alive = 0; 1223 1224 return 0; 1225 } 1226 1227 switch(con->request.http_method) { 1228 case HTTP_METHOD_GET: 1229 case HTTP_METHOD_HEAD: 1230 /* content-length is forbidden for those */ 1231 if (con_length_set && con->request.content_length != 0) { 1232 /* content-length is missing */ 1233 log_error_write(srv, __FILE__, __LINE__, "s", 1234 "GET/HEAD with content-length -> 400"); 1235 1236 con->keep_alive = 0; 1237 con->http_status = 400; 1238 return 0; 1239 } 1240 break; 1241 case HTTP_METHOD_POST: 1242 /* content-length is required for them */ 1243 if (!con_length_set) { 1244 /* content-length is missing */ 1245 log_error_write(srv, __FILE__, __LINE__, "s", 1246 "POST-request, but content-length missing -> 411"); 1247 1248 con->keep_alive = 0; 1249 con->http_status = 411; 1250 return 0; 1251 1252 } 1253 break; 1254 default: 1255 /* require Content-Length if request contains request body */ 1256 if (array_get_element(con->request.headers, "Transfer-Encoding")) { 1257 /* presence of Transfer-Encoding in request headers requires "chunked" 1258 * be final encoding in HTTP/1.1. Return 411 Length Required as 1259 * lighttpd does not support request input transfer-encodings */ 1260 con->keep_alive = 0; 1261 con->http_status = 411; /* 411 Length Required */ 1262 return 0; 1263 } 1264 break; 1265 } 1266 1267 1268 /* check if we have read post data */ 1269 if (con_length_set) { 1270 /* don't handle more the SSIZE_MAX bytes in content-length */ 1271 if (con->request.content_length > SSIZE_MAX) { 1272 con->http_status = 413; 1273 con->keep_alive = 0; 1274 1275 log_error_write(srv, __FILE__, __LINE__, "sos", 1276 "request-size too long:", (off_t) con->request.content_length, "-> 413"); 1277 return 0; 1278 } 1279 1280 /* divide by 1024 as srvconf.max_request_size is in kBytes */ 1281 if (srv->srvconf.max_request_size != 0 && 1282 (con->request.content_length >> 10) > srv->srvconf.max_request_size) { 1283 /* the request body itself is larger then 1284 * our our max_request_size 1285 */ 1286 1287 con->http_status = 413; 1288 con->keep_alive = 0; 1289 1290 log_error_write(srv, __FILE__, __LINE__, "sos", 1291 "request-size too long:", (off_t) con->request.content_length, "-> 413"); 1292 return 0; 1293 } 1294 1295 1296 /* we have content */ 1297 if (con->request.content_length != 0) { 1298 return 1; 1299 } 1300 } 1301 1302 return 0; 1303 } 1304 1305 int http_request_header_finished(server *srv, connection *con) { 1306 UNUSED(srv); 1307 1308 if (buffer_string_length(con->request.request) < 4) return 0; 1309 1310 if (0 == memcmp(con->request.request->ptr + buffer_string_length(con->request.request) - 4, CONST_STR_LEN("\r\n\r\n"))) return 1; 1311 if (NULL != strstr(con->request.request->ptr, "\r\n\r\n")) return 1; 1312 1313 return 0; 1314 } 1315