umgeher/cowboy
0
Fork 0
mirror of https://github.com/ninenines/cowboy.git synced 2025-07-14 12:20:24 +00:00
Code Issues Wiki Activity

Reject absolute URIs with no authority components

Browse source
This commit is contained in:
Loïc Hoguin 2017-11-29 18:33:50 +01:00
parent d50bab8e78
commit 8d9404e9b6
No known key found for this signature in database
GPG key ID: 8A9DF795F6FED764
1 changed files with 14 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/cowboy_http.erl
View file

@ -379,28 +379,34 @@ parse_method(<< C, Rest/bits >>, State, SoFar, Remaining) ->
parse_uri(<< H, T, T, P, "://", Rest/bits >>, State, Method)
when H =:= $h orelse H =:= $H, T =:= $t orelse T =:= $T;
P =:= $p orelse P =:= $P ->
parse_uri_skip_host(Rest, State, Method);
parse_uri_skip_host(Rest, State, Method, <<>>);
parse_uri(<< H, T, T, P, S, "://", Rest/bits >>, State, Method)
when H =:= $h orelse H =:= $H, T =:= $t orelse T =:= $T;
P =:= $p orelse P =:= $P; S =:= $s orelse S =:= $S ->
parse_uri_skip_host(Rest, State, Method);
parse_uri_skip_host(Rest, State, Method, <<>>);
parse_uri(<< $/, Rest/bits >>, State, Method) ->
parse_uri_path(Rest, State, Method, << $/ >>);
parse_uri(_, State, _) ->
error_terminate(400, State, {connection_error, protocol_error,
'Invalid request-line or request-target. (RFC7230 3.1.1, RFC7230 5.3)'}).
parse_uri_skip_host(<< C, Rest/bits >>, State, Method) ->
parse_uri_skip_host(<< C, Rest/bits >>, State, Method, SoFar) ->
case C of
$\r -> error_terminate(400, State, {connection_error, protocol_error,
$\r ->
error_terminate(400, State, {connection_error, protocol_error,
'The request-target must not be followed by a line break. (RFC7230 3.1.1)'});
$@ -> error_terminate(400, State, {connection_error, protocol_error,
$@ ->
error_terminate(400, State, {connection_error, protocol_error,
'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'});
C when SoFar =:= <<>> andalso
((C =:= $/) orelse (C =:= $\s) orelse (C =:= $?) orelse (C =:= $#)) ->
error_terminate(400, State, {connection_error, protocol_error,
'Absolute URIs must include an authority component. (RFC7230 2.7.1)'});
$/ -> parse_uri_path(Rest, State, Method, <<"/">>);
$\s -> parse_version(Rest, State, Method, <<"/">>, <<>>);
$? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>);
$# -> skip_uri_fragment(Rest, State, Method, <<"/">>, <<>>);
_ -> parse_uri_skip_host(Rest, State, Method)
C -> parse_uri_skip_host(Rest, State, Method, <<SoFar/binary, C>>)
end.
parse_uri_path(<< C, Rest/bits >>, State, Method, SoFar) ->