X-Git-Url: https://git.m6w6.name/?p=m6w6%2Fext-http;a=blobdiff_plain;f=php_http_header_parser.c;h=f5b88f412f627d796735a5a2ecd19e0c80d2aa6f;hp=1beaaa61db7369034e7f712d986923e4c83c7487;hb=refs%2Fheads%2Fv2.3.x;hpb=c4c3994c933b6888be3a047181b5ca3b6d22177f

diff --git a/php_http_header_parser.c b/php_http_header_parser.c
index 1beaaa6..f5b88f4 100644
--- a/php_http_header_parser.c
+++ b/php_http_header_parser.c
@@ -96,6 +96,25 @@ void php_http_header_parser_free(php_http_header_parser_t **parser)
 	}
 }
 
+/* NOTE: 'str' has to be null terminated */
+static void php_http_header_parser_error(size_t valid_len, char *str, size_t len, const char *eol_str TSRMLS_DC)
+{
+	int escaped_len;
+	char *escaped_str;
+
+	escaped_str = php_addcslashes(str, len, &escaped_len, 0, ZEND_STRL("\x0..\x1F\x7F..\xFF") TSRMLS_CC);
+
+	if (valid_len != len && (!eol_str || (str+valid_len) != eol_str)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to parse headers: unexpected character '\\%03o' at pos %zu of '%.*s'", str[valid_len], valid_len, escaped_len, escaped_str);
+	} else if (eol_str) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to parse headers: unexpected end of line at pos %zu of '%.*s'", eol_str - str, escaped_len, escaped_str);
+	} else {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to parse headers: unexpected end of input at pos %zu of '%.*s'", len, escaped_len, escaped_str);
+	}
+
+	efree(escaped_str);
+}
+
 STATUS php_http_header_parser_parse(php_http_header_parser_t *parser, php_http_buffer_t *buffer, unsigned flags, HashTable *headers, php_http_info_callback_t callback_func, void *callback_arg)
 {
 	TSRMLS_FETCH_FROM_CTX(parser->ts);
@@ -108,6 +127,7 @@ STATUS php_http_header_parser_parse(php_http_header_parser_t *parser, php_http_b
 #endif
 		switch (php_http_header_parser_state_pop(parser)) {
 			case PHP_HTTP_HEADER_PARSER_STATE_FAILURE:
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to parse headers");
 				return php_http_header_parser_state_push(parser, 1, PHP_HTTP_HEADER_PARSER_STATE_FAILURE);
 
 			case PHP_HTTP_HEADER_PARSER_STATE_START: {
@@ -140,12 +160,24 @@ STATUS php_http_header_parser_parse(php_http_header_parser_t *parser, php_http_b
 					php_http_header_parser_state_push(parser, 1, PHP_HTTP_HEADER_PARSER_STATE_HEADER_DONE);
 				} else if ((colon = memchr(buffer->data, ':', buffer->used)) && (!eol_str || eol_str > colon)) {
 					/* header: string */
-					parser->_key.str = estrndup(buffer->data, parser->_key.len = colon - buffer->data);
+					size_t valid_len;
+
+					parser->_key.len = colon - buffer->data;
+					parser->_key.str = estrndup(buffer->data, parser->_key.len);
+
+					valid_len = strspn(parser->_key.str, PHP_HTTP_HEADER_NAME_CHARS);
+					if (valid_len != parser->_key.len) {
+						php_http_header_parser_error(valid_len, parser->_key.str, parser->_key.len, eol_str TSRMLS_CC);
+						PTR_SET(parser->_key.str, NULL);
+						return php_http_header_parser_state_push(parser, 1, PHP_HTTP_HEADER_PARSER_STATE_FAILURE);
+					}
 					while (PHP_HTTP_IS_CTYPE(space, *++colon) && *colon != '\n' && *colon != '\r');
 					php_http_buffer_cut(buffer, 0, colon - buffer->data);
 					php_http_header_parser_state_push(parser, 1, PHP_HTTP_HEADER_PARSER_STATE_VALUE);
-				} else if (flags & PHP_HTTP_HEADER_PARSER_CLEANUP) {
-					/* neither reqeust/response line nor header: string */
+				} else if (eol_str || (flags & PHP_HTTP_HEADER_PARSER_CLEANUP)) {
+					/* neither reqeust/response line nor 'header:' string, or injected new line or NUL etc. */
+					php_http_buffer_fix(buffer);
+					php_http_header_parser_error(strspn(buffer->data, PHP_HTTP_HEADER_NAME_CHARS), buffer->data, buffer->used, eol_str TSRMLS_CC);
 					return php_http_header_parser_state_push(parser, 1, PHP_HTTP_HEADER_PARSER_STATE_FAILURE);
 				} else {
 					/* keep feeding */
@@ -214,6 +246,17 @@ STATUS php_http_header_parser_parse(php_http_header_parser_t *parser, php_http_b
 			case PHP_HTTP_HEADER_PARSER_STATE_HEADER_DONE:
 				if (parser->_key.str && parser->_val.str) {
 					zval array, **exist;
+					size_t valid_len = strlen(parser->_val.str);
+
+					/* check for truncation */
+					if (valid_len != parser->_val.len) {
+						php_http_header_parser_error(valid_len, parser->_val.str, parser->_val.len, NULL TSRMLS_CC);
+
+						PTR_SET(parser->_key.str, NULL);
+						PTR_SET(parser->_val.str, NULL);
+
+						return php_http_header_parser_state_push(parser, 1, PHP_HTTP_HEADER_PARSER_STATE_FAILURE);
+					}
 
 					if (!headers && callback_func) {
 						callback_func(callback_arg, &headers, NULL TSRMLS_CC);
@@ -246,7 +289,7 @@ STATUS php_http_header_parser_parse(php_http_header_parser_t *parser, php_http_b
 
 php_http_header_parser_state_t php_http_header_parser_parse_stream(php_http_header_parser_t *parser, php_http_buffer_t *buf, php_stream *s, unsigned flags, HashTable *headers, php_http_info_callback_t callback_func, void *callback_arg)
 {
-	php_http_message_parser_state_t state = PHP_HTTP_MESSAGE_PARSER_STATE_START;
+	php_http_header_parser_state_t state = PHP_HTTP_HEADER_PARSER_STATE_START;
 	TSRMLS_FETCH_FROM_CTX(parser->ts);
 
 	if (!buf->data) {
@@ -255,7 +298,8 @@ php_http_header_parser_state_t php_http_header_parser_parse_stream(php_http_head
 	while (1) {
 		size_t justread = 0;
 #if DBG_PARSER
-		fprintf(stderr, "#SHP: %s (f:%u)\n", php_http_message_parser_state_name(state), flags);
+		const char *states[] = {"START", "KEY", "VALUE", "VALUE_EX", "HEADER_DONE", "DONE"};
+		fprintf(stderr, "#SHP: %s (f:%u)\n", states[state], flags);
 #endif
 		/* resize if needed */
 		if (buf->free < 0x1000) {