[master] a89e93a Don't allow whitespace in ESI:include src= attributes.

Poul-Henning Kamp phk at FreeBSD.org
Tue Feb 13 08:42:12 UTC 2018 

commit a89e93af056bdff2f29b0c244040a4bdead143fb
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue Feb 13 08:41:00 2018 +0000

    Don't allow whitespace in ESI:include src= attributes.

diff --git a/bin/varnishd/cache/cache_esi_parse.c b/bin/varnishd/cache/cache_esi_parse.c
index 1fd6e53..ef72eeb 100644
--- a/bin/varnishd/cache/cache_esi_parse.c
+++ b/bin/varnishd/cache/cache_esi_parse.c
@@ -445,6 +445,19 @@ vep_do_include(struct vep_state *vep, enum dowhat what)
 			VSB_destroy(&vep->include_src);
 			return;
 		}
+		for (p = VSB_data(vep->attr_vsb); *p != '\0'; p++)
+			if (vct_islws(*p))
+				break;
+		if (*p != '\0') {
+			vep_error(vep,
+			    "ESI 1.0 <esi:include> "
+			    "has whitespace in src= attribute");
+			vep->state = VEP_TAGERROR;
+			VSB_destroy(&vep->attr_vsb);
+			if (vep->include_src != NULL)
+				VSB_destroy(&vep->include_src);
+			return;
+		}
 		vep->include_src = vep->attr_vsb;
 		vep->attr_vsb = NULL;
 		return;
diff --git a/bin/varnishtest/tests/e00008.vtc b/bin/varnishtest/tests/e00008.vtc
index 71b700a..fce1345 100644
--- a/bin/varnishtest/tests/e00008.vtc
+++ b/bin/varnishtest/tests/e00008.vtc
@@ -41,6 +41,7 @@ server s1 {
 		</![CDATA[ bogo-cdata ]]>		35
 		<esi:include  src="foofof />		36
 		<esi:include  foo=bar src=/body2 />	37
+		<esi:include  src="/body 2" />		38
 	}
 	rxreq
 	expect req.url == "/body"
@@ -81,6 +82,7 @@ logexpect l1 -v v1 -g vxid {
 	expect 0 = ESI_xmlerror {^ERR after 636 XML 1.0 Illegal attribute delimiter$}
 	expect 0 = ESI_xmlerror {^ERR after 665 ESI 1.0 </esi:include> illegal end-tag$}
 	expect 0 = ESI_xmlerror {^ERR after 767 XML 1.0 Missing end attribute delimiter$}
+	expect 0 = ESI_xmlerror {^ERR after 843 ESI 1.0 <esi:include> has whitespace in src= attribute$}
 	expect 0 = BackendReuse
 } -start
 
@@ -104,11 +106,11 @@ client c1 {
 	txreq
 	rxresp
 	expect resp.status == 200
-	expect resp.bodylen == 465
+	expect resp.bodylen == 472
 }
 
 client c1 -run
 logexpect l1 -wait
 logexpect l2 -wait
 logexpect l3 -wait
-varnish v1 -expect esi_errors == 17
+varnish v1 -expect esi_errors == 18

More information about the varnish-commit mailing list