[Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required

Mark Fernandez (JIRA) jira at bro-tracker.atlassian.net
Mon Nov 23 08:14:00 PST 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23000#comment-23000 ] 

Mark Fernandez commented on BIT-939:
------------------------------------

I was just reviewing the weird logs and found 'unescaped_special_URI_char' entries.  Curious, I reviewed HTTP.cc to determine what is considered a special character.  When I reviewed the routines 'analyzer::http::is_reserved_URI_char' and 'analyzer::http::is_unreserved_URI_char', I had the same concern as the person who originally posted this issue.  The character defined as 'reserved' changed from RFC 2396 (dated 1998), on which the http analyzer is based, to the newest publication RFC 3986 (dated 2005).  Ditto for 'unreserved' characters.  Comparison between the two RFCs is contained below.

RFC 2396 Unreserved:
alphanum - . _ ~ ! * ' ( )

RFC 3986 Unreserved:
alphanum - . _ ~


RFC 2396 Reserved:
; / ? : @ & = + $ ,

RFC 3986 Reserved:
: / ? # [ ] @   // Called General Delimiters
! $ & ' ( ) * + , ; =   // Called Sub-Delimiters

You can see that some characters were moved from 'unreserved' to 'reserved', as well as many new characters being deemed 'reserved'.

Should the code in HTTP.cc be updated to reflect the changes from RFC 2396 to RFC 3986?

Thanks!

> HTTP parser refact & redesign required
> --------------------------------------
>
>                 Key: BIT-939
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-939
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: drmckay
>             Fix For: 2.5
>
>
> Hi,
> In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986
> Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives).
> Thanks.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-01-053#71000)


More information about the bro-dev mailing list