Request format checking improved

PythonGermany · PythonGermany · commit 01b0cdc8c096 · 2023-10-21T12:06:38.000+02:00
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ This project is a basic HTTP server written in C++98.
 
 | Functionality | Description | External info
 | --- | --- | --- | 
-| HTTP | HTTP/1.1 | [RFC 2616](https://datatracker.ietf.org/doc/html/rfc2616) |
+| HTTP | HTTP/1.1 | [RFC 2616](https://datatracker.ietf.org/doc/html/rfc2616) / [RFC 9110](https://datatracker.ietf.org/doc/html/rfc9110#section-9.3.7) / [RFC 9112](https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding) |
 | CGI | CGI/1.1 (Tested with php-cgi, using wordpress, and python cgi) | [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) |
 | Implemented methods | GET / HEAD / OPTIONS / POST / PUT / DELETE | [RFC 2616 section 5.1.1](https://datatracker.ietf.org/doc/html/rfc2616#section-5.1.1) |
 | Basic cookie support | Tested with wordpress | [RFC 2109](https://datatracker.ietf.org/doc/html/rfc2109) |
diff --git a/include/utils/utils.hpp b/include/utils/utils.hpp
@@ -16,19 +16,21 @@
 
 #include "colors.hpp"
 
+#define WHITESPACE " \f\n\r\t\v"
+
 // Trims start and end of a string
 // @param str The string to trim
 // @param chars The characters to trim
 // @return The trimmed string
 // @exception No custom exceptions
-std::string trim(const std::string& str, std::string chars = " \f\n\r\t\v");
+std::string trim(const std::string& str, std::string chars = WHITESPACE);
 
 // Trim the start of a string
 // @param str The string to trim
 // @param chars The characters to trim
 // @return The trimmed string
 // @exception No custom exceptions
-std::string& trimStart(std::string& str, std::string chars = " \f\n\r\t\v");
+std::string& trimStart(std::string& str, std::string chars = WHITESPACE);
 
 std::string trimStart(const std::string& str, std::string chars);
 
diff --git a/src/http/Http.cpp b/src/http/Http.cpp
@@ -25,13 +25,11 @@ Http::~Http() {
 void Http::OnRequestRecv(std::string msg) {
   accessLog_g.write("HTTP status: '" + msg + "'", VERBOSE);
 
-  const std::string &delim = getReadDelimiter();
-  if (startsWith(msg, delim)) return;
-  _request = Request();
+  // https://datatracker.ietf.org/doc/html/rfc9112#section-2.2-6
+  if (msg.empty()) return;
 
-  msg.erase(msg.size() - delim.size(), delim.size());
+  _request = Request();
   bool parseRet = _request.parseRequestLine(msg);
-
   _log = toString<Address &>(client) + ": " + _request.getMethod() + " " +
          _request.getUri().generate() + " " + _request.getVersion() + " -> " +
          toString<Address &>(host);
@@ -60,6 +58,7 @@ void Http::OnRequestRecv(std::string msg) {
 void Http::OnHeadRecv(std::string msg) {
   accessLog_g.write("HTTP head: '" + msg + "'", VERBOSE);
 
+  // https://datatracker.ietf.org/doc/html/rfc9112#section-2.2-8
   if (_request.parseHeaderFields(msg))
     processError("400", "Bad Request", true);
   else {
@@ -98,7 +97,7 @@ void Http::OnChunkSizeRecv(std::string msg) {
 void Http::OnTrailerRecv(std::string msg) {
   accessLog_g.write("HTTP trailer: '" + msg + "'", VERBOSE);
 
-  if (msg == getReadDelimiter()) {
+  if (msg.empty()) {
     if (_request.isMethod("PUT"))
       getPutResponse(_uri);
     else if (_request.isMethod("POST")) {
diff --git a/src/http/Request.cpp b/src/http/Request.cpp
@@ -74,22 +74,31 @@ int Request::parseRequestLine(std::string line) {
   if (requestLineTokens.size() != 3) return 1;
   _method = requestLineTokens[0];
   _version = requestLineTokens[2];
+
+  // https://datatracker.ietf.org/doc/html/rfc9112#name-method and
+  // https://datatracker.ietf.org/doc/html/rfc9112#name-http-version
+  if (_method.find_first_of(WHITESPACE) != std::string::npos ||
+      _version.find_first_of(WHITESPACE) != std::string::npos)
+    return 1;
   if (!startsWith(_version, "HTTP/")) return 1;
   return _uri.load(requestLineTokens[1]);
 }
 
 int Request::parseHeaderFields(std::string fields) {
-  size_t end = fields.find("\r\n");
-
-  while (end != 0 && end != std::string::npos) {
+  size_t end;
+  while (true) {
+    end = fields.find("\r\n");
+    if (end == std::string::npos) end = fields.size();
     std::string line = fields.substr(0, end);
     size_t colon = line.find(":");
     if (colon == std::string::npos) return 1;
+
     std::string key = line.substr(0, colon);
+    if (key.find_first_of(WHITESPACE) != std::string::npos) return 1;
+
     std::string value = line.substr(colon + 1);
     setHeaderField(key, value);
     fields.erase(0, line.size() + 2);
-    end = fields.find("\r\n");
+    if (fields.empty()) return 0;
   }
-  return 0;
 }
diff --git a/src/poll/AConnection.cpp b/src/poll/AConnection.cpp
@@ -338,7 +338,7 @@ void AConnection::passReadBuffer(struct pollfd &pollfd) {
   while (pollfd.events & POLLIN) {
     pos = _readBuffer.find(readDelimiter);
     if (pos == std::string::npos) break;
-    pos += readDelimiter.size();
+    size_t tmpReadDelim = readDelimiter.size();
 
     switch (_readState) {
       case REQUEST_LINE:
@@ -362,7 +362,7 @@ void AConnection::passReadBuffer(struct pollfd &pollfd) {
       default:
         throw std::runtime_error("passReadBuffer(): Undefined read state");
     }
-    _readBuffer.erase(0, pos);
+    _readBuffer.erase(0, pos + tmpReadDelim);
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,7 @@ void AConnection::passReadBuffer(struct pollfd &pollfd) {`
`338`	`338`	`while (pollfd.events & POLLIN) {`
`339`	`339`	`pos = _readBuffer.find(readDelimiter);`
`340`	`340`	`if (pos == std::string::npos) break;`
`341`		`- pos += readDelimiter.size();`
	`341`	`+ size_t tmpReadDelim = readDelimiter.size();`
`342`	`342`
`343`	`343`	`switch (_readState) {`
`344`	`344`	`case REQUEST_LINE:`
`@@ -362,7 +362,7 @@ void AConnection::passReadBuffer(struct pollfd &pollfd) {`
`362`	`362`	`default:`
`363`	`363`	`throw std::runtime_error("passReadBuffer(): Undefined read state");`
`364`	`364`	`}`
`365`		`- _readBuffer.erase(0, pos);`
	`365`	`+ _readBuffer.erase(0, pos + tmpReadDelim);`
`366`	`366`	`}`
`367`	`367`	`}`
`368`	`368`