umgeher/cowboy
0
Fork 0
mirror of https://github.com/ninenines/cowboy.git synced 2025-07-15 04:30:25 +00:00
Code Issues Wiki Activity

Reject absolute URIs with userinfo components in HTTP/1.1

Browse source
This commit is contained in:
Loïc Hoguin 2017-11-29 18:10:11 +01:00
parent 14b4afa669
commit d50bab8e78
No known key found for this signature in database
GPG key ID: 8A9DF795F6FED764
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/cowboy_http.erl
View file

@ -394,6 +394,8 @@ parse_uri_skip_host(<< C, Rest/bits >>, State, Method) ->
case C of case C of
$\r -> error_terminate(400, State, {connection_error, protocol_error, $\r -> error_terminate(400, State, {connection_error, protocol_error,
'The request-target must not be followed by a line break. (RFC7230 3.1.1)'}); 'The request-target must not be followed by a line break. (RFC7230 3.1.1)'});
$@ -> error_terminate(400, State, {connection_error, protocol_error,
'Absolute URIs must not include a userinfo component. (RFC7230 2.7.1)'});
$/ -> parse_uri_path(Rest, State, Method, <<"/">>); $/ -> parse_uri_path(Rest, State, Method, <<"/">>);
$\s -> parse_version(Rest, State, Method, <<"/">>, <<>>); $\s -> parse_version(Rest, State, Method, <<"/">>, <<>>);
$? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>); $? -> parse_uri_query(Rest, State, Method, <<"/">>, <<>>);