From 3161ed034bbea40a705303811d7213aff9be17d2 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 01:56:20 +0200 Subject: Merging upstream version 2.4.59. Signed-off-by: Daniel Baumann --- test/modules/http2/test_200_header_invalid.py | 113 ++++++++++++++++---------- 1 file changed, 69 insertions(+), 44 deletions(-) (limited to 'test/modules/http2/test_200_header_invalid.py') diff --git a/test/modules/http2/test_200_header_invalid.py b/test/modules/http2/test_200_header_invalid.py index fdbfbe4..5b3aafd 100644 --- a/test/modules/http2/test_200_header_invalid.py +++ b/test/modules/http2/test_200_header_invalid.py @@ -12,24 +12,27 @@ class TestInvalidHeaders: assert env.apache_restart() == 0 # let the hecho.py CGI echo chars < 0x20 in field name - # for almost all such characters, the stream gets aborted with a h2 error and - # there will be no http status, cr and lf are handled special + # for almost all such characters, the stream returns a 500 + # or in httpd >= 2.5.0 gets aborted with a h2 error + # cr is handled special def test_h2_200_01(self, env): url = env.mkurl("https", "cgi", "/hecho.py") for x in range(1, 32): - r = env.curl_post_data(url, "name=x%%%02xx&value=yz" % x) - if x in [10]: - assert 0 == r.exit_code, "unexpected exit code for char 0x%02x" % x - assert 500 == r.response["status"], "unexpected status for char 0x%02x" % x - elif x in [13]: - assert 0 == r.exit_code, "unexpected exit code for char 0x%02x" % x - assert 200 == r.response["status"], "unexpected status for char 0x%02x" % x + data = f'name=x%{x:02x}x&value=yz' + r = env.curl_post_data(url, data) + if x in [13]: + assert 0 == r.exit_code, f'unexpected exit code for char 0x{x:02}' + assert 200 == r.response["status"], f'unexpected status for char 0x{x:02}' + elif x in [10] or env.httpd_is_at_least('2.5.0'): + assert 0 == r.exit_code, f'unexpected exit code for char 0x{x:02}' + assert 500 == r.response["status"], f'unexpected status for char 0x{x:02}' else: - assert 0 != r.exit_code, "unexpected exit code for char 0x%02x" % x + assert 0 != r.exit_code, f'unexpected exit code for char 0x{x:02}' # let the hecho.py CGI echo chars < 0x20 in field value - # for almost all such characters, the stream gets aborted with a h2 error and - # there will be no http status, cr and lf are handled special + # for almost all such characters, the stream returns a 500 + # or in httpd >= 2.5.0 gets aborted with a h2 error + # cr and lf are handled special def test_h2_200_02(self, env): url = env.mkurl("https", "cgi", "/hecho.py") for x in range(1, 32): @@ -38,6 +41,9 @@ class TestInvalidHeaders: if x in [10, 13]: assert 0 == r.exit_code, "unexpected exit code for char 0x%02x" % x assert 200 == r.response["status"], "unexpected status for char 0x%02x" % x + elif env.httpd_is_at_least('2.5.0'): + assert 0 == r.exit_code, f'unexpected exit code for char 0x{x:02}' + assert 500 == r.response["status"], f'unexpected status for char 0x{x:02}' else: assert 0 != r.exit_code, "unexpected exit code for char 0x%02x" % x @@ -46,40 +52,61 @@ class TestInvalidHeaders: url = env.mkurl("https", "cgi", "/hecho.py") for h in ["10", "7f"]: r = env.curl_post_data(url, "name=x%%%s&value=yz" % h) - assert 0 != r.exit_code + if env.httpd_is_at_least('2.5.0'): + assert 0 == r.exit_code, f"unexpected exit code for char 0x{h:02}" + assert 500 == r.response["status"], f"unexpected exit code for char 0x{h:02}" + else: + assert 0 != r.exit_code r = env.curl_post_data(url, "name=x&value=y%%%sz" % h) - assert 0 != r.exit_code - - # test header field lengths check, LimitRequestLine (default 8190) + if env.httpd_is_at_least('2.5.0'): + assert 0 == r.exit_code, f"unexpected exit code for char 0x{h:02}" + assert 500 == r.response["status"], f"unexpected exit code for char 0x{h:02}" + else: + assert 0 != r.exit_code + + # test header field lengths check, LimitRequestLine def test_h2_200_10(self, env): - url = env.mkurl("https", "cgi", "/") - val = "1234567890" # 10 chars - for i in range(3): # make a 10000 char string - val = "%s%s%s%s%s%s%s%s%s%s" % (val, val, val, val, val, val, val, val, val, val) - # LimitRequestLine 8190 ok, one more char -> 431 - r = env.curl_get(url, options=["-H", "x: %s" % (val[:8187])]) - assert r.response["status"] == 200 - r = env.curl_get(url, options=["-H", "x: %sx" % (val[:8188])]) - assert 431 == r.response["status"] - # same with field name - r = env.curl_get(url, options=["-H", "y%s: 1" % (val[:8186])]) + conf = H2Conf(env) + conf.add(""" + LimitRequestLine 1024 + """) + conf.add_vhost_cgi() + conf.install() + assert env.apache_restart() == 0 + val = 200*"1234567890" + url = env.mkurl("https", "cgi", f'/?{val[:1022]}') + r = env.curl_get(url) assert r.response["status"] == 200 - r = env.curl_get(url, options=["-H", "y%s: 1" % (val[:8188])]) - assert 431 == r.response["status"] + url = env.mkurl("https", "cgi", f'/?{val[:1023]}') + r = env.curl_get(url) + # URI too long + assert 414 == r.response["status"] # test header field lengths check, LimitRequestFieldSize (default 8190) def test_h2_200_11(self, env): + conf = H2Conf(env) + conf.add(""" + LimitRequestFieldSize 1024 + """) + conf.add_vhost_cgi() + conf.install() + assert env.apache_restart() == 0 url = env.mkurl("https", "cgi", "/") - val = "1234567890" # 10 chars - for i in range(3): # make a 10000 char string - val = "%s%s%s%s%s%s%s%s%s%s" % (val, val, val, val, val, val, val, val, val, val) - # LimitRequestFieldSize 8190 ok, one more char -> 400 in HTTP/1.1 - # (we send 4000+4185 since they are concatenated by ", " and start with "x: " - r = env.curl_get(url, options=["-H", "x: %s" % (val[:4000]), "-H", "x: %s" % (val[:4185])]) - assert r.response["status"] == 200 - r = env.curl_get(url, options=["--http1.1", "-H", "x: %s" % (val[:4000]), "-H", "x: %s" % (val[:4189])]) + val = 200*"1234567890" + # two fields, concatenated with ', ' + # LimitRequestFieldSize, one more char -> 400 in HTTP/1.1 + r = env.curl_get(url, options=[ + '-H', f'x: {val[:500]}', '-H', f'x: {val[:519]}' + ]) + assert r.exit_code == 0, f'{r}' + assert r.response["status"] == 200, f'{r}' + r = env.curl_get(url, options=[ + '--http1.1', '-H', f'x: {val[:500]}', '-H', f'x: {val[:523]}' + ]) assert 400 == r.response["status"] - r = env.curl_get(url, options=["-H", "x: %s" % (val[:4000]), "-H", "x: %s" % (val[:4191])]) + r = env.curl_get(url, options=[ + '-H', f'x: {val[:500]}', '-H', f'x: {val[:520]}' + ]) assert 431 == r.response["status"] # test header field count, LimitRequestFields (default 100) @@ -163,6 +190,8 @@ class TestInvalidHeaders: # invalid chars in method def test_h2_200_16(self, env): + if not env.h2load_is_at_least('1.45.0'): + pytest.skip(f'nhttp2 version too old') conf = H2Conf(env) conf.add_vhost_cgi() conf.install() @@ -171,12 +200,8 @@ class TestInvalidHeaders: opt = ["-H:method: GET /hello.py"] r = env.nghttp().get(url, options=opt) assert r.exit_code == 0, r - # nghttp version >= 1.45.0 check pseudo headers and RST streams, - # which means we see no response. - if r.response is not None: - assert r.response["status"] == 400 + assert r.response is None url = env.mkurl("https", "cgi", "/proxy/hello.py") r = env.nghttp().get(url, options=opt) assert r.exit_code == 0, r - if r.response is not None: - assert r.response["status"] == 400 + assert r.response is None -- cgit v1.2.3