From 5e95efb9663c78e8cc437d6943e16fab3a68edd0 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 2 May 2019 10:49:29 +0200 Subject: [PATCH 1/2] http: configures libhtp to allow spaces in uri Ticket: #2881 --- configure.ac | 2 ++ doc/userguide/upgrade.rst | 3 +++ src/app-layer-htp.c | 3 +++ 3 files changed, 8 insertions(+) diff --git a/configure.ac b/configure.ac index 8bb752715f53..96773f8def19 100644 --- a/configure.ac +++ b/configure.ac @@ -1590,6 +1590,7 @@ AC_CHECK_LIB([htp], [htp_tx_get_response_headers_raw],AC_DEFINE_UNQUOTED([HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW],[1],[Found htp_tx_get_response_headers_raw in libhtp]) ,,[-lhtp]) AC_CHECK_LIB([htp], [htp_decode_query_inplace],AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Found htp_decode_query_inplace function in libhtp]) ,,[-lhtp]) AC_CHECK_LIB([htp], [htp_config_set_response_decompression_layer_limit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT],[1],[Found htp_config_set_response_decompression_layer_limit function in libhtp]) ,,[-lhtp]) + AC_CHECK_LIB([htp], [htp_config_set_allow_space_uri],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_ALLOW_SPACE_URI],[1],[Found htp_config_set_allow_space_uri function in libhtp]) ,,[-lhtp]) AC_EGREP_HEADER(htp_config_set_path_decode_u_encoding, htp/htp.h, AC_DEFINE_UNQUOTED([HAVE_HTP_SET_PATH_DECODE_U_ENCODING],[1],[Found usable htp_config_set_path_decode_u_encoding function in libhtp]) ) AC_CHECK_LIB([htp], [htp_config_set_lzma_memlimit],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT],[1],[Found htp_config_set_lzma_memlimit function in libhtp]) ,,[-lhtp]) AC_CHECK_LIB([htp], [htp_config_set_lzma_layers],AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_LAYERS],[1],[Found htp_config_set_lzma_layers function in libhtp]) ,,[-lhtp]) @@ -1615,6 +1616,7 @@ AC_DEFINE_UNQUOTED([HAVE_HTP_DECODE_QUERY_INPLACE],[1],[Assuming htp_decode_query_inplace function in bundled libhtp]) # enable when libhtp has been updated AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_RESPONSE_DECOMPRESSION_LAYER_LIMIT],[1],[Assuming htp_config_set_response_decompression_layer_limit function in bundled libhtp]) + AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_ALLOW_SPACE_URI],[1],[Assuming htp_config_set_allow_space_uri function in bundled libhtp]) AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_MEMLIMIT],[1],[Assuming htp_config_set_lzma_memlimit function in bundled libhtp]) AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_LZMA_LAYERS],[1],[Assuming htp_config_set_lzma_layers function in bundled libhtp]) AC_DEFINE_UNQUOTED([HAVE_HTP_CONFIG_SET_COMPRESSION_BOMB_LIMIT],[1],[Assuming htp_config_set_compression_bomb_limit function in bundled libhtp]) diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 991e55ae75c1..767df33f1b7b 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -47,6 +47,9 @@ Major changes `_. - New protocols enabled by default: bittorrent-dht, quic, http2. - The telnet protocol is also enabled by default, but only for the ``app-layer``. +- Spaces are accepted in HTTP1 URIs instead of in the protocol version. That is: + `GET /a b HTTP/1.1` gets now URI as `/a b` and protocol as `HTTP/1.1` when + it used to be URI as `/a` and protocol as `b HTTP/1.1` Security changes ~~~~~~~~~~~~~~~~ diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index b576ba3b7b97..0a647a4d4ae4 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -2496,6 +2496,9 @@ static void HTPConfigSetDefaultsPhase1(HTPCfgRec *cfg_prec) htp_config_register_response_complete(cfg_prec->cfg, HTPCallbackResponseComplete); htp_config_set_parse_request_cookies(cfg_prec->cfg, 0); +#ifdef HAVE_HTP_CONFIG_SET_ALLOW_SPACE_URI + htp_config_set_allow_space_uri(cfg_prec->cfg, 1); +#endif /* don't convert + to space by default */ htp_config_set_plusspace_decode(cfg_prec->cfg, HTP_DECODER_URLENCODED, 0); From 63428cf713416a4623d5645dbaf9d81c55dc17a0 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 May 2022 13:39:32 +0200 Subject: [PATCH 2/2] detect: checks for space in http.protcol keyword --- src/detect-http-protocol.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 9dc3455d2149..d843d690933f 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -128,6 +128,30 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, return buffer; } +static bool DetectHttpProtocolValidateCallback(const Signature *s, const char **sigerror) +{ +#ifdef HAVE_HTP_CONFIG_SET_ALLOW_SPACE_URI + for (uint32_t x = 0; x < s->init_data->buffer_index; x++) { + if (s->init_data->buffers[x].id != (uint32_t)g_buffer_id) + continue; + const SigMatch *sm = s->init_data->buffers[x].head; + for (; sm != NULL; sm = sm->next) { + if (sm->type != DETECT_CONTENT) + continue; + const DetectContentData *cd = (DetectContentData *)sm->ctx; + for (size_t i = 0; i < cd->content_len; ++i) { + if (cd->content[i] == ' ') { + *sigerror = "Invalid http.protocol string containing a space"; + SCLogWarning("rule %u: %s", s->id, *sigerror); + return false; + } + } + } + } +#endif + return true; +} + /** * \brief Registers the keyword handlers for the "http.protocol" keyword. */ @@ -160,6 +184,7 @@ void DetectHttpProtocolRegister(void) DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectHttpProtocolValidateCallback); g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); }