http: reject non-LWS CTL chars (0..31 + 127) in field values

RFC 2616 doesn't appear to allow most CTL bytes even though Mongrel always did. Rack::Lint disallows 0..31, too, though we allow "\t" (HT, 09) since it's LWS and allowed by RFC 2616.
author: Eric Wong <e@80x24.org> 2017-03-05 02:55:55 +0000
committer: Eric Wong <e@80x24.org> 2017-03-05 02:55:55 +0000
commit: f91eb40ada640b673a11a2f87dab50b6568a0b64 (patch)
tree: af41edc23991f0c06b62790e06f2b0df54b262fd
parent: eb6e9e5bac6ced303de5f9f8b103ef3fa31fde7c (diff)
download: kcar-f91eb40ada640b673a11a2f87dab50b6568a0b64.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/ext/kcar/kcar_http_common.rl b/ext/kcar/kcar_http_common.rl
index 36752b0..cb89248 100644
--- a/ext/kcar/kcar_http_common.rl
+++ b/ext/kcar/kcar_http_common.rl
@@ -21,6 +21,7 @@
    pchar = (uchar | ":" | "@" | "&" | "=" | "+");
    tspecials = ("(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\\" | "\"" | "/" | "[" | "]" | "?" | "=" | "{" | "}" | " " | "\t");
    lws = (" " | "\t");
+  content = ((any -- CTL) | lws);
  
  # elements
    token = (ascii -- (CTL | tspecials));
@@ -32,9 +33,9 @@
  
    field_name = ( token -- ":" )+ >start_field %write_field;
  
-  field_value = any* >start_value %write_value;
+  field_value = content* >start_value %write_value;
  
-  value_cont = lws+ any* >start_value %write_cont_value;
+  value_cont = lws+ content* >start_value %write_cont_value;
  
    message_header = ((field_name ":" lws* field_value)|value_cont) :> CRLF;
    chunk_ext_val = token*;
author	Eric Wong <e@80x24.org>	2017-03-05 02:55:55 +0000
committer	Eric Wong <e@80x24.org>	2017-03-05 02:55:55 +0000
commit	f91eb40ada640b673a11a2f87dab50b6568a0b64 (patch)
tree	af41edc23991f0c06b62790e06f2b0df54b262fd
parent	eb6e9e5bac6ced303de5f9f8b103ef3fa31fde7c (diff)
download	kcar-f91eb40ada640b673a11a2f87dab50b6568a0b64.tar.gz