httparse
httparse copied to clipboard
seanmonstar
`Request::parse()` accepts invalid methods.
This issue seems to be related to https://github.com/seanmonstar/httparse/issues/161.
Consider this example :
#[test]
fn invalid_methods() {
let src = "\"some,unvalid%GET{}:; / HTTP/1.1\r\nHost: 127.0.0.1:80\r\n\r\n";
let mut headers = [httparse::EMPTY_HEADER; 32];
let mut req = httparse::Request::new(&mut headers);
let status = req.parse(src.as_bytes()).unwrap();
assert!(status.is_complete());
assert_eq!(req.method, Some("\"some,unvalid%GET{}:;"))
}
From the MDN and my understanding of the RFC, methods MUST be defined by the following grammar:
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
"^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
Took a look at the RFC 2616 which gives the following grammar rule in the 5.1.1 section regarding HTTP methods (including user-defined ones):
Method = "OPTIONS"
| "GET"
| "HEAD"
| "POST"
| "PUT"
| "DELETE"
| "TRACE"
| "CONNECT"
| extension-method
extension-method = token
The token grammar is defined in the 2.2 section as:
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
My previous example contained characters that were separators and AFAIU, the parse() method should have rejected it but here's another example where all of the method's characters are separators:
#[test]
fn invalid_methods() {
let src = "()<>@,;:\\\"/[]?={} / HTTP/1.1\r\nHost: 127.0.0.1:80\r\n\r\n";
let mut headers = [httparse::EMPTY_HEADER; 32];
let mut req = httparse::Request::new(&mut headers);
let status = req.parse(src.as_bytes()).unwrap();
assert!(status.is_complete());
assert_eq!(req.method, Some("()<>@,;:\\\"/[]?={}"))
}