From 4bd63d35fb917026b946c0a0db9d5e8329f6d021 Mon Sep 17 00:00:00 2001 From: Ryan Date: Tue, 9 Jun 2009 15:18:12 +0200 Subject: [PATCH] Upgrade http_parser - protects against buffer overflows now --- deps/http_parser/LICENSE | 79 ++++++++++++++++++++ deps/http_parser/README.md | 9 ++- deps/http_parser/http_parser.h | 14 ++-- deps/http_parser/http_parser.rl | 123 +++++++++++++++++++++----------- 4 files changed, 179 insertions(+), 46 deletions(-) create mode 100644 deps/http_parser/LICENSE diff --git a/deps/http_parser/LICENSE b/deps/http_parser/LICENSE new file mode 100644 index 0000000000..7fb7fcd191 --- /dev/null +++ b/deps/http_parser/LICENSE @@ -0,0 +1,79 @@ +Copyright 2009, Ryan Lienhart Dahl. All rights reserved. +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +IN THE SOFTWARE. + + + + +http_parser is based on Zed Shaw's Mongrel. Mongrel's license is as follows. + +-- CUT ---- CUT ---- CUT ---- CUT ---- CUT ---- CUT ---- CUT ---- CUT -- +Mongrel Web Server (Mongrel) is copyrighted free software by Zed A. Shaw + and contributors. You can redistribute it +and/or modify it under either the terms of the GPL2 or the conditions below: + +1. You may make and give away verbatim copies of the source form of the + software without restriction, provided that you duplicate all of the + original copyright notices and associated disclaimers. + +2. You may modify your copy of the software in any way, provided that + you do at least ONE of the following: + + a) place your modifications in the Public Domain or otherwise make them + Freely Available, such as by posting said modifications to Usenet or an + equivalent medium, or by allowing the author to include your + modifications in the software. + + b) use the modified software only within your corporation or + organization. + + c) rename any non-standard executables so the names do not conflict with + standard executables, which must also be provided. + + d) make other distribution arrangements with the author. + +3. You may distribute the software in object code or executable + form, provided that you do at least ONE of the following: + + a) distribute the executables and library files of the software, + together with instructions (in the manual page or equivalent) on where + to get the original distribution. + + b) accompany the distribution with the machine-readable source of the + software. + + c) give non-standard executables non-standard names, with + instructions on where to get the original software distribution. + + d) make other distribution arrangements with the author. + +4. You may modify and include the part of the software into any other + software (possibly commercial). But some files in the distribution + are not written by the author, so that they are not under this terms. + +5. The scripts and library files supplied as input to or produced as + output from the software do not automatically fall under the + copyright of the software, but belong to whomever generated them, + and may be sold commercially, and may be aggregated with this + software. + +6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. +-- CUT ---- CUT ---- CUT ---- CUT ---- CUT ---- CUT ---- CUT ---- CUT -- diff --git a/deps/http_parser/README.md b/deps/http_parser/README.md index 26c3e968c7..e0c2b9ce15 100644 --- a/deps/http_parser/README.md +++ b/deps/http_parser/README.md @@ -4,7 +4,7 @@ HTTP Parser This is a parser for HTTP messages written in C. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. It does not make any allocations, it does not buffer data, and -it can be interrupted at anytime. It only requires about 100 bytes of data +it can be interrupted at anytime. It only requires about 128 bytes of data per message stream (in a web server that is per connection). Features: @@ -22,6 +22,7 @@ Features: * http version * request path, query string, fragment * message body + * Defends against buffer overflow attacks. Usage ----- @@ -57,6 +58,12 @@ buffering the data is not necessary. If you need to save certain data for later usage, you can do that from the callbacks. (You can also `read()` into a heap allocated buffer to avoid copying memory around if this fits your application.) + +Scalar valued message information such as `status_code`, `method`, and the +HTTP version are stored in the parser structure. This data is only +temporarlly stored in `http_parser` and gets reset on each new message. If +this information is needed later, copy it out of the structure during the +`headers_complete` callback. The parser decodes the transfer-encoding for both requests and responses transparently. That is, a chunked encoding is decoded before being sent to diff --git a/deps/http_parser/http_parser.h b/deps/http_parser/http_parser.h index d41580e677..08163a4637 100644 --- a/deps/http_parser/http_parser.h +++ b/deps/http_parser/http_parser.h @@ -1,8 +1,7 @@ -/* Copyright (c) 2008 Ryan Dahl (ry@tinyclouds.org) - * All rights reserved. +/* Copyright (c) 2008, 2009 Ryan Dahl (ry@tinyclouds.org) + * Based on Zed Shaw's Mongrel, copyright (c) Zed A. Shaw * - * This parser is based on code from Zed Shaw's Mongrel. - * Copyright (c) 2005 Zed A. Shaw + * All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining * a copy of this software and associated documentation files (the @@ -72,14 +71,21 @@ struct http_parser { size_t chunk_size; unsigned eating:1; + unsigned buffer_overflow:1; size_t body_read; const char *header_field_mark; + size_t header_field_size; const char *header_value_mark; + size_t header_value_size; const char *query_string_mark; + size_t query_string_size; const char *path_mark; + size_t path_size; const char *uri_mark; + size_t uri_size; const char *fragment_mark; + size_t fragment_size; /** READ-ONLY **/ unsigned short status_code; /* responses only */ diff --git a/deps/http_parser/http_parser.rl b/deps/http_parser/http_parser.rl index 3b4700f852..cb4c7f3370 100644 --- a/deps/http_parser/http_parser.rl +++ b/deps/http_parser/http_parser.rl @@ -1,7 +1,5 @@ /* Copyright (c) 2008, 2009 Ryan Dahl (ry@tinyclouds.org) - * - * Based on Zed Shaw's Mongrel. - * Copyright (c) 2005 Zed A. Shaw + * Based on Zed Shaw's Mongrel, copyright (c) Zed A. Shaw * * All rights reserved. * @@ -25,8 +23,9 @@ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include "http_parser.h" - -#include +#ifndef NDEBUG +# include +#endif static int unhex[] = {-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 ,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 @@ -42,38 +41,50 @@ static int unhex[] = {-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 #define MIN(a,b) (a < b ? a : b) #define NULL (void*)(0) -#define REMAINING (pe - p) -#define CALLBACK(FOR) \ - if (parser->FOR##_mark && parser->on_##FOR) { \ - callback_return_value = \ - parser->on_##FOR(parser, parser->FOR##_mark, p - parser->FOR##_mark); \ - } +#define MAX_FIELD_SIZE 80*1024 -#define RESET_PARSER(parser) \ - parser->chunk_size = 0; \ - parser->eating = 0; \ - parser->header_field_mark = NULL; \ - parser->header_value_mark = NULL; \ - parser->query_string_mark = NULL; \ - parser->path_mark = NULL; \ - parser->uri_mark = NULL; \ - parser->fragment_mark = NULL; \ - parser->status_code = 0; \ - parser->method = 0; \ - parser->transfer_encoding = HTTP_IDENTITY; \ - parser->version_major = 0; \ - parser->version_minor = 0; \ - parser->keep_alive = -1; \ - parser->content_length = 0; \ +#define REMAINING (pe - p) +#define CALLBACK(FOR) \ +do { \ + if (parser->FOR##_mark) { \ + parser->FOR##_size += p - parser->FOR##_mark; \ + if (parser->FOR##_size > MAX_FIELD_SIZE) { \ + parser->buffer_overflow = TRUE; \ + return 0; \ + } \ + if (parser->on_##FOR) { \ + callback_return_value = parser->on_##FOR(parser, \ + parser->FOR##_mark, \ + p - parser->FOR##_mark); \ + } \ + } \ +} while(0) + +#define RESET_PARSER(parser) \ + parser->chunk_size = 0; \ + parser->eating = 0; \ + parser->header_field_mark = NULL; \ + parser->header_value_mark = NULL; \ + parser->query_string_mark = NULL; \ + parser->path_mark = NULL; \ + parser->uri_mark = NULL; \ + parser->fragment_mark = NULL; \ + parser->status_code = 0; \ + parser->method = 0; \ + parser->transfer_encoding = HTTP_IDENTITY; \ + parser->version_major = 0; \ + parser->version_minor = 0; \ + parser->keep_alive = -1; \ + parser->content_length = 0; \ parser->body_read = 0; -#define END_REQUEST \ -do { \ - if (parser->on_message_complete) { \ - callback_return_value = \ - parser->on_message_complete(parser); \ - } \ - RESET_PARSER(parser); \ +#define END_REQUEST \ +do { \ + if (parser->on_message_complete) { \ + callback_return_value = \ + parser->on_message_complete(parser); \ + } \ + RESET_PARSER(parser); \ } while (0) #define SKIP_BODY(nskip) \ @@ -100,47 +111,76 @@ do { \ %%{ machine http_parser; - action mark_header_field { parser->header_field_mark = p; } - action mark_header_value { parser->header_value_mark = p; } - action mark_fragment { parser->fragment_mark = p; } - action mark_query_string { parser->query_string_mark = p; } - action mark_request_path { parser->path_mark = p; } - action mark_request_uri { parser->uri_mark = p; } + action mark_header_field { + parser->header_field_mark = p; + parser->header_field_size = 0; + } + + action mark_header_value { + parser->header_value_mark = p; + parser->header_value_size = 0; + } + + action mark_fragment { + parser->fragment_mark = p; + parser->fragment_size = 0; + } + + action mark_query_string { + parser->query_string_mark = p; + parser->query_string_size = 0; + } + + action mark_request_path { + parser->path_mark = p; + parser->path_size = 0; + } + + action mark_request_uri { + parser->uri_mark = p; + parser->uri_size = 0; + } action header_field { CALLBACK(header_field); if (callback_return_value != 0) fbreak; parser->header_field_mark = NULL; + parser->header_field_size = 0; } action header_value { CALLBACK(header_value); if (callback_return_value != 0) fbreak; parser->header_value_mark = NULL; + parser->header_value_size = 0; } action request_uri { CALLBACK(uri); if (callback_return_value != 0) fbreak; parser->uri_mark = NULL; + parser->uri_size = 0; } action fragment { CALLBACK(fragment); if (callback_return_value != 0) fbreak; parser->fragment_mark = NULL; + parser->fragment_size = 0; } action query_string { CALLBACK(query_string); if (callback_return_value != 0) fbreak; parser->query_string_mark = NULL; + parser->query_string_size = 0; } action request_path { CALLBACK(path); if (callback_return_value != 0) fbreak; parser->path_mark = NULL; + parser->path_size = 0; } action headers_complete { @@ -227,7 +267,6 @@ do { \ } } - CRLF = "\r\n"; # character types @@ -348,6 +387,7 @@ http_parser_init (http_parser *parser, enum http_parser_type type) %% write init; parser->cs = cs; parser->type = type; + parser->buffer_overflow = 0; parser->on_message_begin = NULL; parser->on_path = NULL; @@ -406,6 +446,7 @@ out: int http_parser_has_error (http_parser *parser) { + if (parser->buffer_overflow) return TRUE; return parser->cs == http_parser_error; }