Skip to content

TS-4043 Prevent bogus FQDN characters in host header #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danobi wants to merge 3 commits into from
Closed

TS-4043 Prevent bogus FQDN characters in host header #356

danobi wants to merge 3 commits into from

Conversation

@danobi
Copy link
Member

@danobi danobi commented Nov 30, 2015

Validate the host header string to prevent malformed hostnames from being let in.

@danobi
TS-4043 Prevent bogus FQDN characters in host header
2819666 
Validate the host header string to prevent malformed hostnames from being let in.
SolidWallOfCode
SolidWallOfCode reviewed Nov 30, 2015
View reviewed changes
proxy/hdrs/HTTP.cc Outdated
Copy link
Member

@SolidWallOfCode SolidWallOfCode Nov 30, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about colons for IPv6 addresses?

@jpeach
Copy link
Contributor

jpeach commented Nov 30, 2015

Can you extract the guts of validate_hdr_host into a separate function and use that to add a regression test host validation?

Are you sure that the the return value of ats_ip_parse really makes sense? It looks like this code depends on it returning a successful status but not parsing any bytes.

@SolidWallOfCode
Copy link
Member

SolidWallOfCode commented Nov 30, 2015

James - so split out validate_hdr_field which takes a char const* and make a regression test for that?

The use of ats_ip_parse is correct. It operates on a string and returns the separate pieces of the string. The use of the port and rest values has exactly the same dependency.

@jpeach
Copy link
Contributor

jpeach commented Dec 1, 2015

so split out validate_hdr_field which takes a char const* and make a regression test for that?

yup

danobi added 2 commits December 4, 2015 21:59
@danobi
Update to RFC 3986 (URI) and RFC 1034 (DNS)
108ee64 
Was missing a few characters, specifically the ones for IPv6
@danobi
Code refactor & add regression tests
01043c6 
Split out host header checking code into `validate_hdr_field()`
so that a regression test for invalid FQDNs could be added.
@asfgit asfgit closed this in ada9752 Dec 18, 2015
SolidWallOfCode pushed a commit to SolidWallOfCode/trafficserver that referenced this pull request Feb 1, 2017
@shinrich
Merge pull request apache#356 from Edge/ytsats-1101
aca9a50 
YTSATS-1101: ATS handling of too many concurrent streams too agressive
maskit pushed a commit to maskit/trafficserver that referenced this pull request Feb 2, 2017
Merge branch 'asf/master'
43f403d 
* asf/master: (392 commits)
  Doh, chomp does not trim WS ...
  Make sure any trailing WS is removed from the Jira summary
  Change the changelog.pl script to use /usr/bin/env to find perl
  TS-4089: clang-format
  [TS-4091] addressing internal headers This close apache#387.
  TS-4089: Fixed coverity issues in parent selection.
  TS-4074: Escape backslashes in user/group/machine name
  TS-4043: Prevent bogus FQDN characters in host header This close apache#356.
  TS-3418: clang-format
  This closes apache#190.
  This closes apache#321.
  TS-4071: Unused mutex Diags::rotate_lock
  TS-3418: Various style fixes.
  TS-3418: Refactored parent selection to add a secondary parent consistent hash ring.
  This closes apache#368.
  TS-4084: Empty README.md file
  TS-4079: Support for arbitrary esi vars through HTTP request headers. This closes apache#378
  TS-3944: Add documentation for TSHttpTxnServerAddrSet to clarify when it must be called. This close apache#385.
  Clang format.
  TS-3908: Fix clang errors in WCCP.
  ...
bneradt pushed a commit to bneradt/trafficserver that referenced this pull request Nov 19, 2020
@shinrich
Fix test_certlookup unit test (apache#356)
a316165
moonchen pushed a commit to moonchen/trafficserver that referenced this pull request Jul 26, 2022
@cmcfarlen
Add autest to cover updates to cache with alternates (apache#8779) (a…
b70bb8e 
…pache#356)

* Add autest to cover updates to cache with alternates

* remove trailing line(autopep8)

* add comments describing the requests

* reduce delay and max-age on test

* set cache object size to zero when incoming content length is zero

* add demystifying comment

Co-authored-by: Chris McFarlen <cmcfarlen@apple.com>
(cherry picked from commit 4c5b182)

Co-authored-by: Chris McFarlen <chris@mcfarlen.us>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danobi @jpeach @SolidWallOfCode