[Bro-Dev] [JIRA] (BIT-1235) HTTP multipart POST request alters file contents

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Oct 16 06:38:08 PDT 2014

     [ https://bro-tracker.atlassian.net/browse/BIT-1235?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robin Sommer reassigned BIT-1235:

    Assignee: Robin Sommer  (was: Jon Siwek)

> HTTP multipart POST request alters file contents
> ------------------------------------------------
>                 Key: BIT-1235
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1235
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>         Environment: CentOS 6.5, file extract analyzer
>            Reporter: Brian O'Berry
>            Assignee: Robin Sommer
>             Fix For: 2.4
>         Attachments: bro-2.3-HTTP.patch, gdb.log, upload-api-http.pcap
> HTTP POST multipart processing converts bare CR or LF chars to CRLF pairs, corrupting most files when extracted with Files::ANALYZER_EXTRACT.  This is clear in the attached gdb.log, which has a backtrace that shows a buffer with the start of a PDF file entering MIME/HTTP entity processing at frame 25, and emerging with LF chars converted to CRLF at frame 6.
> Also attached are the pcap file associated with the backtrace, and an initial patch that we've barely begun to test.  A point of concern with the patch is that it changes a weird.log entry from "line_terminated_with_single_CR" to "http_no_crlf_in_header_list".  It does enable Files::ANALYZER_EXTRACT to correctly extract the PDF file from the attached pcap.
> Please let me know if we can provide anything else to help with this.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list