[Bro-Dev] [Bro-Commits] [git/bro] master: Adapting the HTTP request line parsing to only accept methods consisting of letters [A-Za-z]. (5751046)
Vlad Grigorescu
vladg at cmu.edu
Wed Dec 5 17:21:37 PST 2012
One of the things I found when I turned this on in production was a Microsoft product that was using some custom HTTP methods: CCM_POST and BITS_POST. I'd say add underscore to this as well, maybe even hyphen.
If we want to take this further, the HTTP/1.1 and HTTP/1.0 RFCs say that the request method must be a token. Tokens are defined as:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
Thoughts?
--Vlad
On Dec 5, 2012, at 7:57 PM, Robin Sommer <robin at icir.org>
wrote:
> commit 57510464a1c100f174382daa48934f2404762f3d
> Author: Robin Sommer <robin at icir.org>
> Date: Wed Dec 5 16:44:04 2012 -0800
>
> Adapting the HTTP request line parsing to only accept methods
> consisting of letters [A-Za-z].
>
> I had some bogus HTTP sessions now with the test-suite that reported
> data as HTTP because it started with "<!... ". Requiring letters seems
> a reasonable constraint.
More information about the bro-dev
mailing list