blob: bd0c41365d424ed0186548172fc4902a9e9e40f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
use strict;
use warnings FATAL => 'all';
use Apache::Test;
use Apache::TestRequest;
use Apache::TestUtil;
plan tests => 4, need 'ssl';
# This test case attempts only one type of attack which is possible
# due to the TLS renegotiation vulnerability, CVE-2009-3555. A
# specific defense against this attack was added to mod_ssl in
# r891282. For more information, see the dev@httpd thread beginning
# at message ID <4B01BD20.1060300@adnovum.ch>.
Apache::TestRequest::set_client_cert("client_ok");
Apache::TestRequest::module('mod_ssl');
my $sock = Apache::TestRequest::vhost_socket('mod_ssl');
if ($sock && $sock->connected && $sock->get_sslversion() eq "TLSv1_3") {
skip "Skipping test for TLSv1.3" foreach(1..4);
exit;
}
ok $sock && $sock->connected;
my $req = "GET /require/asf/ HTTP/1.1\r\n".
"Host: " . Apache::TestRequest::hostport() . "\r\n".
"\r\n".
"GET /this/is/a/prefix/injection/attack HTTP/1.0\r\n".
"Host: " . Apache::TestRequest::hostport() . "\r\n".
"\r\n";
ok $sock->print($req);
my $line = Apache::TestRequest::getline($sock) || '';
ok t_cmp($line, qr{^HTTP/1\.. 200}, "read first response-line");
my $rv = 0;
do {
$line = Apache::TestRequest::getline($sock) || '';
$line = super_chomp($line);
print "# line: $line\n";
if ($line eq "Connection: close") {
$rv = 1;
}
} until ($line eq "");
ok $rv, 1, "expected Connection: close header in response";
sub super_chomp {
my ($body) = shift;
## super chomp - all leading and trailing \n (and \r for win32)
$body =~ s/^[\n\r]*//;
$body =~ s/[\n\r]*$//;
## and all the rest change to spaces
$body =~ s/\n/ /g;
$body =~ s/\r//g; #rip out all remaining \r's
$body;
}
|
