[Bro-Dev] [JIRA] (BIT-1235) HTTP multipart POST request alters file contents

Brian O'Berry (JIRA) jira at bro-tracker.atlassian.net
Mon Aug 25 06:25:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700#comment-17700 ] 

Brian O'Berry commented on BIT-1235:

Okay, the patch is incorrect because it assumes only a single file in the multipart form, which I think means the solution has to be addressed in tcp and/or mime parsing code. Could it be as simple as changing the if statements in analyzer::tcp::Content_Analyzer::DoDeliverOnce() to be equality tests rather than bitwise ANDs (ContentLine.cc lines 242 and 256)? There's also this code to think about in DoDeliver() starting at line 141:
		if ( (CR_LF_as_EOL & CR_as_EOL) &&
		     last_char == '\r' && *data == '\n' )
			// CR is already considered as EOL.
			// Compress CRLF to just one line termination.
			// Note, we test this prior to checking for
			// "plain delivery" because (1) we might have
			// made the decision to switch to plain delivery
			// based on a line terminated with '\r' for
			// which a '\n' then arrived, and (2) we are
			// careful when executing plain delivery to
			// clear last_char once we do so.
			last_char = *data;
			--len; ++data; ++seq;

> HTTP multipart POST request alters file contents
> ------------------------------------------------
>                 Key: BIT-1235
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1235
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>         Environment: CentOS 6.5, file extract analyzer
>            Reporter: Brian O'Berry
>         Attachments: bro-2.3-HTTP.patch, gdb.log, upload-api-http.pcap
> HTTP POST multipart processing converts bare CR or LF chars to CRLF pairs, corrupting most files when extracted with Files::ANALYZER_EXTRACT.  This is clear in the attached gdb.log, which has a backtrace that shows a buffer with the start of a PDF file entering MIME/HTTP entity processing at frame 25, and emerging with LF chars converted to CRLF at frame 6.
> Also attached are the pcap file associated with the backtrace, and an initial patch that we've barely begun to test.  A point of concern with the patch is that it changes a weird.log entry from "line_terminated_with_single_CR" to "http_no_crlf_in_header_list".  It does enable Files::ANALYZER_EXTRACT to correctly extract the PDF file from the attached pcap.
> Please let me know if we can provide anything else to help with this.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list