r4314 - in branches/2.0/varnish-cache/bin: varnishd varnishtest/tests

Thu Oct 8 17:19:34 CEST 2009

Author: tfheen
Date: 2009-10-08 17:19:34 +0200 (Thu, 08 Oct 2009)
New Revision: 4314

Added:
   branches/2.0/varnish-cache/bin/varnishtest/tests/r00549.vtc
Modified:
   branches/2.0/varnish-cache/bin/varnishd/cache_http.c
Log:
Merge r4221: Be much more paranoid about control-characters in backend responses.

Fixes #549



Modified: branches/2.0/varnish-cache/bin/varnishd/cache_http.c
===================================================================

--- branches/2.0/varnish-cache/bin/varnishd/cache_http.c	2009-10-08 15:12:41 UTC (rev 4313)
+++ branches/2.0/varnish-cache/bin/varnishd/cache_http.c	2009-10-08 15:19:34 UTC (rev 4314)
@@ -390,7 +390,7 @@
 http_splitline(struct worker *w, int fd, struct http *hp,
     const struct http_conn *htc, int h1, int h2, int h3)
 {
-	char *p;
+	char *p, *q;
 
 	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
@@ -403,40 +403,47 @@
 		continue;
 
 	/* First field cannot contain SP, CRLF or CTL */
-	hp->hd[h1].b = p;
-	for (; !vct_issp(*p); p++)
+	q = p;
+	for (; !vct_issp(*p); p++) {
 		if (vct_isctl(*p))
 			return (400);
+	}
+	hp->hd[h1].b = q;
 	hp->hd[h1].e = p;
 
 	/* Skip SP */
-	for (; vct_issp(*p); p++)
-		;
+	for (; vct_issp(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
 
-	/* Second field cannot contain LWS */
-	hp->hd[h2].b = p;
-	for (; !vct_islws(*p); p++)
-		;
+	/* Second field cannot contain LWS or CTL */
+	q = p;
+	for (; !vct_islws(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
+	hp->hd[h2].b = q;
 	hp->hd[h2].e = p;
 
 	if (!Tlen(hp->hd[h2]))
 		return (400);
 
 	/* Skip SP */
-	for (; vct_issp(*p); p++)
-		;
+	for (; vct_issp(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
 
 	/* Third field is optional and cannot contain CTL */
+	q = p;
 	if (!vct_iscrlf(*p)) {
-		hp->hd[h3].b = p;
 		for (; !vct_iscrlf(*p); p++)
 			if (vct_isctl(*p))
 				return (400);
-		hp->hd[h3].e = p;
-	} else {
-		hp->hd[h3].b = p;
-		hp->hd[h3].e = p;
 	}
+	hp->hd[h3].b = q;
+	hp->hd[h3].e = p;
 
 	/* Skip CRLF */
 	p += vct_skipcrlf(p);

Copied: branches/2.0/varnish-cache/bin/varnishtest/tests/r00549.vtc (from rev 4221, trunk/varnish-cache/bin/varnishtest/tests/r00549.vtc)
===================================================================
--- branches/2.0/varnish-cache/bin/varnishtest/tests/r00549.vtc	                        (rev 0)
+++ branches/2.0/varnish-cache/bin/varnishtest/tests/r00549.vtc	2009-10-08 15:19:34 UTC (rev 4314)
@@ -0,0 +1,15 @@
+# $Id$
+
+# Regression test for bad backend reply with ctrl char.
+
+server s1 {
+	rxreq
+	send "HTTP/1.1 200 OK\013\r\n\r\nTest"
+} -start
+
+varnish v1 -vcl+backend {} -start
+
+client c1 {
+	txreq
+	rxresp
+} -run

