Merge pull request #2554 from drwetter/noCtrlCharInHeader_3.0

No ctrl char in header (3.0)
This commit is contained in:
Dirk Wetter 2024-09-03 20:50:00 +02:00 committed by GitHub
commit 1296279fa9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -2253,7 +2253,12 @@ run_http_header() {
# Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested # Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested
# so far seem not to be fine with header containing x0d x0a (CRLF) which is the usual case. # so far seem not to be fine with header containing x0d x0a (CRLF) which is the usual case.
# So we also trigger also on any sign on a single line which is not alphanumeric (plus _) # So we also trigger also on any sign on a single line which is not alphanumeric (plus _)
sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE >$HEADERFILE.tmp #
# Also we use tr here to remove any crtl chars which the server side offers --> possible security problem
# Only allowed now is LF + CR. See #2337
# awk, see above, doesn't seem to care
sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE | tr -d '\000-\011\013\014\016-\037' >$HEADERFILE.tmp
sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE | tr -d '\000-\010\013\014\016-\037' >$HEADERFILE.tmp
# Now to be more sure we delete from '<' or '{' maybe with a leading blank until the end # Now to be more sure we delete from '<' or '{' maybe with a leading blank until the end
sed -e '/^ *<.*$/d' -e '/^ *{.*$/d' $HEADERFILE.tmp >$HEADERFILE sed -e '/^ *<.*$/d' -e '/^ *{.*$/d' $HEADERFILE.tmp >$HEADERFILE
debugme echo -e "---\n $(< $HEADERFILE) \n---" debugme echo -e "---\n $(< $HEADERFILE) \n---"