From dc76d95bb7b449ee7199a663ed6b0aa91d5a2546 Mon Sep 17 00:00:00 2001 From: Nate Berkopec Date: Tue, 12 Oct 2021 17:05:25 -0600 Subject: [PATCH] HTTP header field values: Allow all octets to be passed in as obscure data (#2723) --- ext/puma_http11/http11_parser.c | 38 ++++---- ext/puma_http11/http11_parser_common.rl | 2 +- .../org/jruby/puma/Http11Parser.java | 96 ++++++++++--------- 3 files changed, 72 insertions(+), 64 deletions(-) diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c index 6c571b34..a122a9a1 100644 --- a/ext/puma_http11/http11_parser.c +++ b/ext/puma_http11/http11_parser.c @@ -426,13 +426,16 @@ st18: case 18: #line 428 "ext/puma_http11/http11_parser.c" switch( (*p) ) { - case 9: goto tr25; case 13: goto tr26; case 32: goto tr27; + case 127: goto st0; } - if ( 33 <= (*p) && (*p) <= 126 ) - goto tr25; - goto st0; + if ( (*p) > 8 ) { + if ( 10 <= (*p) && (*p) <= 31 ) + goto st0; + } else if ( (*p) >= 0 ) + goto st0; + goto tr25; tr25: #line 46 "ext/puma_http11/http11_parser.rl" { MARK(mark, p); } @@ -441,14 +444,17 @@ st19: if ( ++p == pe ) goto _test_eof19; case 19: -#line 445 "ext/puma_http11/http11_parser.c" +#line 448 "ext/puma_http11/http11_parser.c" switch( (*p) ) { - case 9: goto st19; case 13: goto tr29; + case 127: goto st0; } - if ( 32 <= (*p) && (*p) <= 126 ) - goto st19; - goto st0; + if ( (*p) > 8 ) { + if ( 10 <= (*p) && (*p) <= 31 ) + goto st0; + } else if ( (*p) >= 0 ) + goto st0; + goto st19; tr9: #line 53 "ext/puma_http11/http11_parser.rl" { @@ -491,7 +497,7 @@ st20: if ( ++p == pe ) goto _test_eof20; case 20: -#line 495 "ext/puma_http11/http11_parser.c" +#line 501 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr31; case 60: goto st0; @@ -512,7 +518,7 @@ st21: if ( ++p == pe ) goto _test_eof21; case 21: -#line 516 "ext/puma_http11/http11_parser.c" +#line 522 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr33; case 60: goto st0; @@ -533,7 +539,7 @@ st22: if ( ++p == pe ) goto _test_eof22; case 22: -#line 537 "ext/puma_http11/http11_parser.c" +#line 543 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 43: goto st22; case 58: goto st23; @@ -558,7 +564,7 @@ st23: if ( ++p == pe ) goto _test_eof23; case 23: -#line 562 "ext/puma_http11/http11_parser.c" +#line 568 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr8; case 34: goto st0; @@ -578,7 +584,7 @@ st24: if ( ++p == pe ) goto _test_eof24; case 24: -#line 582 "ext/puma_http11/http11_parser.c" +#line 588 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr37; case 34: goto st0; @@ -601,7 +607,7 @@ st25: if ( ++p == pe ) goto _test_eof25; case 25: -#line 605 "ext/puma_http11/http11_parser.c" +#line 611 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr41; case 34: goto st0; @@ -621,7 +627,7 @@ st26: if ( ++p == pe ) goto _test_eof26; case 26: -#line 625 "ext/puma_http11/http11_parser.c" +#line 631 "ext/puma_http11/http11_parser.c" switch( (*p) ) { case 32: goto tr44; case 34: goto st0; diff --git a/ext/puma_http11/http11_parser_common.rl b/ext/puma_http11/http11_parser_common.rl index 5eba09f2..d156d046 100644 --- a/ext/puma_http11/http11_parser_common.rl +++ b/ext/puma_http11/http11_parser_common.rl @@ -43,7 +43,7 @@ field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field; - field_value = ( print | "\t" )* >start_value %write_value; + field_value = ( (any -- CTL) | "\t" )* >start_value %write_value; message_header = field_name ":" " "* field_value :> CRLF; diff --git a/ext/puma_http11/org/jruby/puma/Http11Parser.java b/ext/puma_http11/org/jruby/puma/Http11Parser.java index f5db1b69..191feeb2 100644 --- a/ext/puma_http11/org/jruby/puma/Http11Parser.java +++ b/ext/puma_http11/org/jruby/puma/Http11Parser.java @@ -34,9 +34,9 @@ private static short[] init__puma_parser_key_offsets_0() { return new short [] { 0, 0, 8, 17, 27, 29, 30, 31, 32, 33, 34, 36, - 39, 41, 44, 45, 61, 62, 78, 83, 87, 95, 103, 113, - 121, 130, 138, 146, 155, 164, 173, 182, 191, 200, 209, 218, - 227, 236, 245, 254, 263, 272, 281, 290, 299, 308, 309 + 39, 41, 44, 45, 61, 62, 78, 85, 91, 99, 107, 117, + 125, 134, 142, 150, 159, 168, 177, 186, 195, 204, 213, 222, + 231, 240, 249, 258, 267, 276, 285, 294, 303, 312, 313 }; } @@ -52,26 +52,27 @@ private static char[] init__puma_parser_trans_keys_0() 46, 48, 57, 48, 57, 13, 48, 57, 10, 13, 33, 124, 126, 35, 39, 42, 43, 45, 46, 48, 57, 65, 90, 94, 122, 10, 33, 58, 124, 126, 35, 39, 42, 43, 45, 46, - 48, 57, 65, 90, 94, 122, 9, 13, 32, 33, 126, 9, - 13, 32, 126, 32, 60, 62, 127, 0, 31, 34, 35, 32, - 60, 62, 127, 0, 31, 34, 35, 43, 58, 45, 46, 48, - 57, 65, 90, 97, 122, 32, 34, 35, 60, 62, 127, 0, - 31, 32, 34, 35, 60, 62, 63, 127, 0, 31, 32, 34, - 35, 60, 62, 127, 0, 31, 32, 34, 35, 60, 62, 127, - 0, 31, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, - 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, - 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, - 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, - 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, - 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, - 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, - 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, - 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, - 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, - 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, - 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, - 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, - 36, 95, 45, 46, 48, 57, 65, 90, 32, 0 + 48, 57, 65, 90, 94, 122, 13, 32, 127, 0, 8, 10, + 31, 13, 127, 0, 8, 10, 31, 32, 60, 62, 127, 0, + 31, 34, 35, 32, 60, 62, 127, 0, 31, 34, 35, 43, + 58, 45, 46, 48, 57, 65, 90, 97, 122, 32, 34, 35, + 60, 62, 127, 0, 31, 32, 34, 35, 60, 62, 63, 127, + 0, 31, 32, 34, 35, 60, 62, 127, 0, 31, 32, 34, + 35, 60, 62, 127, 0, 31, 32, 36, 95, 45, 46, 48, + 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, + 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, + 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, + 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, + 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, + 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, + 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, + 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, + 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, + 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, + 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, + 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, + 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, + 32, 0 }; } @@ -95,7 +96,7 @@ private static byte[] init__puma_parser_range_lengths_0() { return new byte [] { 0, 3, 3, 3, 0, 0, 0, 0, 0, 0, 1, 1, - 1, 1, 0, 6, 0, 6, 1, 1, 2, 2, 4, 1, + 1, 1, 0, 6, 0, 6, 2, 2, 2, 2, 4, 1, 1, 1, 1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0 }; @@ -108,9 +109,9 @@ private static short[] init__puma_parser_index_offsets_0() { return new short [] { 0, 0, 6, 13, 21, 24, 26, 28, 30, 32, 34, 36, - 39, 41, 44, 46, 57, 59, 70, 75, 79, 86, 93, 100, - 108, 117, 125, 133, 140, 147, 154, 161, 168, 175, 182, 189, - 196, 203, 210, 217, 224, 231, 238, 245, 252, 259, 261 + 39, 41, 44, 46, 57, 59, 70, 76, 81, 88, 95, 102, + 110, 119, 127, 135, 142, 149, 156, 163, 170, 177, 184, 191, + 198, 205, 212, 219, 226, 233, 240, 247, 254, 261, 263 }; } @@ -125,23 +126,24 @@ private static byte[] init__puma_parser_indicies_0() 10, 1, 11, 1, 12, 1, 13, 1, 14, 1, 15, 1, 16, 15, 1, 17, 1, 18, 17, 1, 19, 1, 20, 21, 21, 21, 21, 21, 21, 21, 21, 21, 1, 22, 1, 23, - 24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 25, 26, - 27, 25, 1, 28, 29, 28, 1, 30, 1, 1, 1, 1, - 1, 31, 32, 1, 1, 1, 1, 1, 33, 34, 35, 34, - 34, 34, 34, 1, 8, 1, 9, 1, 1, 1, 1, 35, - 36, 1, 38, 1, 1, 39, 1, 1, 37, 40, 1, 42, - 1, 1, 1, 1, 41, 43, 1, 45, 1, 1, 1, 1, - 44, 2, 46, 46, 46, 46, 46, 1, 2, 47, 47, 47, - 47, 47, 1, 2, 48, 48, 48, 48, 48, 1, 2, 49, - 49, 49, 49, 49, 1, 2, 50, 50, 50, 50, 50, 1, - 2, 51, 51, 51, 51, 51, 1, 2, 52, 52, 52, 52, - 52, 1, 2, 53, 53, 53, 53, 53, 1, 2, 54, 54, - 54, 54, 54, 1, 2, 55, 55, 55, 55, 55, 1, 2, - 56, 56, 56, 56, 56, 1, 2, 57, 57, 57, 57, 57, - 1, 2, 58, 58, 58, 58, 58, 1, 2, 59, 59, 59, - 59, 59, 1, 2, 60, 60, 60, 60, 60, 1, 2, 61, - 61, 61, 61, 61, 1, 2, 62, 62, 62, 62, 62, 1, - 2, 63, 63, 63, 63, 63, 1, 2, 1, 1, 0 + 24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 26, 27, + 1, 1, 1, 25, 29, 1, 1, 1, 28, 30, 1, 1, + 1, 1, 1, 31, 32, 1, 1, 1, 1, 1, 33, 34, + 35, 34, 34, 34, 34, 1, 8, 1, 9, 1, 1, 1, + 1, 35, 36, 1, 38, 1, 1, 39, 1, 1, 37, 40, + 1, 42, 1, 1, 1, 1, 41, 43, 1, 45, 1, 1, + 1, 1, 44, 2, 46, 46, 46, 46, 46, 1, 2, 47, + 47, 47, 47, 47, 1, 2, 48, 48, 48, 48, 48, 1, + 2, 49, 49, 49, 49, 49, 1, 2, 50, 50, 50, 50, + 50, 1, 2, 51, 51, 51, 51, 51, 1, 2, 52, 52, + 52, 52, 52, 1, 2, 53, 53, 53, 53, 53, 1, 2, + 54, 54, 54, 54, 54, 1, 2, 55, 55, 55, 55, 55, + 1, 2, 56, 56, 56, 56, 56, 1, 2, 57, 57, 57, + 57, 57, 1, 2, 58, 58, 58, 58, 58, 1, 2, 59, + 59, 59, 59, 59, 1, 2, 60, 60, 60, 60, 60, 1, + 2, 61, 61, 61, 61, 61, 1, 2, 62, 62, 62, 62, + 62, 1, 2, 63, 63, 63, 63, 63, 1, 2, 1, 1, + 0 }; } @@ -210,7 +212,7 @@ static final int puma_parser_error = 0; cs = 0; -// line 214 "ext/puma_http11/org/jruby/puma/Http11Parser.java" +// line 216 "ext/puma_http11/org/jruby/puma/Http11Parser.java" { cs = puma_parser_start; } @@ -242,7 +244,7 @@ static final int puma_parser_error = 0; parser.buffer = buffer; -// line 246 "ext/puma_http11/org/jruby/puma/Http11Parser.java" +// line 248 "ext/puma_http11/org/jruby/puma/Http11Parser.java" { int _klen; int _trans = 0; @@ -398,7 +400,7 @@ case 1: { p += 1; _goto_targ = 5; if (true) continue _goto;} } break; -// line 402 "ext/puma_http11/org/jruby/puma/Http11Parser.java" +// line 404 "ext/puma_http11/org/jruby/puma/Http11Parser.java" } } }