[Bro-Dev] [Bro-Commits] [git/bro] master: Adapting the HTTP request line parsing to only accept methods consisting of letters [A-Za-z]. (5751046)

Vlad Grigorescu vladg at cmu.edu
Wed Dec 5 17:21:37 PST 2012


One of the things I found when I turned this on in production was a Microsoft product that was using some custom HTTP methods: CCM_POST and BITS_POST. I'd say add underscore to this as well, maybe even hyphen.

If we want to take this further, the HTTP/1.1 and HTTP/1.0 RFCs say that the request method must be a token. Tokens are defined as:

>       token          = 1*<any CHAR except CTLs or separators>
>       separators     = "(" | ")" | "<" | ">" | "@"
>                      | "," | ";" | ":" | "\" | <">
>                      | "/" | "[" | "]" | "?" | "="
>                      | "{" | "}" | SP | HT

Thoughts?

  --Vlad

On Dec 5, 2012, at 7:57 PM, Robin Sommer <robin at icir.org>
 wrote:

> commit 57510464a1c100f174382daa48934f2404762f3d
> Author: Robin Sommer <robin at icir.org>
> Date:   Wed Dec 5 16:44:04 2012 -0800
> 
>    Adapting the HTTP request line parsing to only accept methods
>    consisting of letters [A-Za-z].
> 
>    I had some bogus HTTP sessions now with the test-suite that reported
>    data as HTTP because it started with "<!... ". Requiring letters seems
>    a reasonable constraint.




More information about the bro-dev mailing list