Adding upstream version 1:0.5.47.upstream/1%0.5.47

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 345 insertions, 0 deletions

diff --git a/htp/htp_multipart.h b/htp/htp_multipart.h
new file mode 100644
index 0000000..614ef63
--- /dev/null
+++ b/htp/htp_multipart.h
@@ -0,0 +1,345 @@
+/***************************************************************************
+ * Copyright (c) 2009-2010 Open Information Security Foundation
+ * Copyright (c) 2010-2013 Qualys, Inc.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+
+ * - Neither the name of the Qualys, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived from
+ *   this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ ***************************************************************************/
+
+/**
+ * @file
+ * @author Ivan Ristic <ivanr@webkreator.com>
+ */
+
+#ifndef _HTP_MULTIPART_H
+#define	_HTP_MULTIPART_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "bstr.h"
+#include "htp.h"
+#include "htp_table.h"
+
+
+// Constants and enums.
+
+/**
+ * Seen a LF line in the payload. LF lines are not allowed, but
+ * some clients do use them and some backends do accept them. Mixing
+ * LF and CRLF lines within some payload might be unusual.
+ */
+#define HTP_MULTIPART_LF_LINE                   0x0001
+
+/** Seen a CRLF line in the payload. This is normal and expected. */
+#define HTP_MULTIPART_CRLF_LINE                 0x0002
+
+/** Seen LWS after a boundary instance in the body. Unusual. */
+#define HTP_MULTIPART_BBOUNDARY_LWS_AFTER       0x0004
+
+/** Seen non-LWS content after a boundary instance in the body. Highly unusual. */
+#define HTP_MULTIPART_BBOUNDARY_NLWS_AFTER      0x0008
+
+/**
+ * Payload has a preamble part. Might not be that unusual.
+ */
+#define HTP_MULTIPART_HAS_PREAMBLE              0x0010
+
+/**
+ * Payload has an epilogue part. Unusual.
+ */
+#define HTP_MULTIPART_HAS_EPILOGUE              0x0020
+
+/**
+ * The last boundary was seen in the payload. Absence of the last boundary
+ * may not break parsing with some (most?) backends, but it means that the payload
+ * is not well formed. Can occur if the client gives up, or if the connection is
+ * interrupted. Incomplete payloads should be blocked whenever possible.
+ */
+#define HTP_MULTIPART_SEEN_LAST_BOUNDARY        0x0040
+
+/**
+ * There was a part after the last boundary. This is highly irregular
+ * and indicative of evasion.
+ */
+#define HTP_MULTIPART_PART_AFTER_LAST_BOUNDARY  0x0080
+
+/**
+ * The payloads ends abruptly, without proper termination. Can occur if the client gives up,
+ * or if the connection is interrupted. When this flag is raised, HTP_MULTIPART_PART_INCOMPLETE
+ * will also be raised for the part that was only partially processed. (But the opposite may not
+ * always be the case -- there are other ways in which a part can be left incomplete.)
+ */
+#define HTP_MULTIPART_INCOMPLETE                0x0100
+
+/** The boundary in the Content-Type header is invalid. */
+#define HTP_MULTIPART_HBOUNDARY_INVALID         0x0200
+
+/**
+ * The boundary in the Content-Type header is unusual. This may mean that evasion
+ * is attempted, but it could also mean that we have encountered a client that does
+ * not do things in the way it should.
+ */
+#define HTP_MULTIPART_HBOUNDARY_UNUSUAL         0x0400
+
+/**
+ * The boundary in the Content-Type header is quoted. This is very unusual,
+ * and may be indicative of an evasion attempt.
+ */
+#define HTP_MULTIPART_HBOUNDARY_QUOTED          0x0800
+
+/** Header folding was used in part headers. Very unusual. */
+#define HTP_MULTIPART_PART_HEADER_FOLDING       0x1000
+
+/**
+ * A part of unknown type was encountered, which probably means that the part is lacking
+ * a Content-Disposition header, or that the header is invalid. Highly unusual.
+ */
+#define HTP_MULTIPART_PART_UNKNOWN              0x2000
+
+/** There was a repeated part header, possibly in an attempt to confuse the parser. Very unusual. */
+#define HTP_MULTIPART_PART_HEADER_REPEATED      0x4000
+
+/** Unknown part header encountered. */
+#define HTP_MULTIPART_PART_HEADER_UNKNOWN       0x8000
+
+/** Invalid part header encountered. */
+#define HTP_MULTIPART_PART_HEADER_INVALID       0x10000
+
+/** Part type specified in the C-D header is neither MULTIPART_PART_TEXT nor MULTIPART_PART_FILE. */
+#define HTP_MULTIPART_CD_TYPE_INVALID           0x20000
+
+/** Content-Disposition part header with multiple parameters with the same name. */
+#define HTP_MULTIPART_CD_PARAM_REPEATED         0x40000
+
+/** Unknown Content-Disposition parameter. */
+#define HTP_MULTIPART_CD_PARAM_UNKNOWN          0x80000
+
+/** Invalid Content-Disposition syntax. */
+#define HTP_MULTIPART_CD_SYNTAX_INVALID         0x100000
+
+/**
+ * There is an abruptly terminated part. This can happen when the payload itself is abruptly
+ * terminated (in which case HTP_MULTIPART_INCOMPLETE) will be raised. However, it can also
+ * happen when a boundary is seen before any part data.
+ */
+#define HTP_MULTIPART_PART_INCOMPLETE           0x200000
+
+/** A NUL byte was seen in a part header area. */
+#define HTP_MULTIPART_NUL_BYTE                  0x400000
+
+/** A collection of flags that all indicate an invalid C-D header. */
+#define HTP_MULTIPART_CD_INVALID ( \
+    HTP_MULTIPART_CD_TYPE_INVALID | \
+    HTP_MULTIPART_CD_PARAM_REPEATED | \
+    HTP_MULTIPART_CD_PARAM_UNKNOWN | \
+    HTP_MULTIPART_CD_SYNTAX_INVALID )
+
+/** A collection of flags that all indicate an invalid part. */
+#define HTP_MULTIPART_PART_INVALID ( \
+    HTP_MULTIPART_CD_INVALID | \
+    HTP_MULTIPART_NUL_BYTE | \
+    HTP_MULTIPART_PART_UNKNOWN | \
+    HTP_MULTIPART_PART_HEADER_REPEATED | \
+    HTP_MULTIPART_PART_INCOMPLETE | \
+    HTP_MULTIPART_PART_HEADER_UNKNOWN | \
+    HTP_MULTIPART_PART_HEADER_INVALID )
+
+/** A collection of flags that all indicate an invalid Multipart payload. */
+#define HTP_MULTIPART_INVALID ( \
+    HTP_MULTIPART_PART_INVALID | \
+    HTP_MULTIPART_PART_AFTER_LAST_BOUNDARY | \
+    HTP_MULTIPART_INCOMPLETE | \
+    HTP_MULTIPART_HBOUNDARY_INVALID )
+
+/** A collection of flags that all indicate an unusual Multipart payload. */
+#define HTP_MULTIPART_UNUSUAL ( \
+    HTP_MULTIPART_INVALID | \
+    HTP_MULTIPART_PART_HEADER_FOLDING | \
+    HTP_MULTIPART_BBOUNDARY_NLWS_AFTER | \
+    HTP_MULTIPART_HAS_EPILOGUE | \
+    HTP_MULTIPART_HBOUNDARY_UNUSUAL \
+    HTP_MULTIPART_HBOUNDARY_QUOTED )
+
+/** A collection of flags that all indicate an unusual Multipart payload, with a low sensitivity to irregularities. */
+#define HTP_MULTIPART_UNUSUAL_PARANOID ( \
+    HTP_MULTIPART_UNUSUAL | \
+    HTP_MULTIPART_LF_LINE | \
+    HTP_MULTIPART_BBOUNDARY_LWS_AFTER | \
+    HTP_MULTIPART_HAS_PREAMBLE )
+
+#define HTP_MULTIPART_MIME_TYPE                 "multipart/form-data"
+
+enum htp_multipart_type_t {
+
+    /** Unknown part. */
+    MULTIPART_PART_UNKNOWN = 0,
+
+    /** Text (parameter) part. */
+    MULTIPART_PART_TEXT = 1,
+
+    /** File part. */
+    MULTIPART_PART_FILE = 2,
+
+    /** Free-text part before the first boundary. */
+    MULTIPART_PART_PREAMBLE = 3,
+
+    /** Free-text part after the last boundary. */
+    MULTIPART_PART_EPILOGUE = 4
+};
+
+
+// Structures
+
+/**
+ * Holds multipart parser configuration and state. Private.
+ */
+typedef struct htp_mpartp_t htp_mpartp_t;
+
+/**
+ * Holds information related to a multipart body.
+ */
+typedef struct htp_multipart_t {
+    /** Multipart boundary. */
+    char *boundary;
+
+    /** Boundary length. */
+    size_t boundary_len;
+
+    /** How many boundaries were there? */
+    int boundary_count;   
+
+    /** List of parts, in the order in which they appeared in the body. */
+    htp_list_t *parts;
+
+    /** Parsing flags. */
+    uint64_t flags;
+} htp_multipart_t;
+
+/**
+ * Holds information related to a part.
+ */
+typedef struct htp_multipart_part_t {
+    /** Pointer to the parser. */
+    htp_mpartp_t *parser;
+
+    /** Part type; see the MULTIPART_PART_* constants. */
+    enum htp_multipart_type_t type;
+
+    /** Raw part length (i.e., headers and data). */
+    size_t len;
+   
+    /** Part name, from the Content-Disposition header. Can be NULL. */
+    bstr *name;   
+
+    /**
+     * Part value; the contents depends on the type of the part:
+     * 1) NULL for files; 2) contains complete part contents for
+     * preamble and epilogue parts (they have no headers), and
+     * 3) data only (headers excluded) for text and unknown parts.
+     */
+    bstr *value;
+
+    /** Part content type, from the Content-Type header. Can be NULL. */
+    bstr *content_type;
+
+    /** Part headers (htp_header_t instances), using header name as the key. */
+    htp_table_t *headers;
+
+    /** File data, available only for MULTIPART_PART_FILE parts. */
+    htp_file_t *file;
+} htp_multipart_part_t;
+
+
+// Functions
+
+/**
+ * Creates a new multipart/form-data parser. On a successful invocation,
+ * the ownership of the boundary parameter is transferred to the parser.
+ *
+ * @param[in] cfg
+ * @param[in] boundary
+ * @param[in] flags
+ * @return New parser instance, or NULL on memory allocation failure.
+ */
+htp_mpartp_t *htp_mpartp_create(htp_cfg_t *cfg, bstr *boundary, uint64_t flags);
+
+/**
+ * Looks for boundary in the supplied Content-Type request header. The extracted
+ * boundary will be allocated on the heap.
+ *
+ * @param[in] content_type
+ * @param[out] boundary
+ * @param[out] multipart_flags Multipart flags, which are not compatible from general LibHTP flags.
+ * @return HTP_OK on success (boundary found), HTP_DECLINED if boundary was not found,
+ *         and HTP_ERROR on failure. Flags may be set on HTP_OK and HTP_DECLINED. For
+ *         example, if a boundary could not be extracted but there is indication that
+ *         one is present, HTP_MULTIPART_HBOUNDARY_INVALID will be set.
+ */
+htp_status_t htp_mpartp_find_boundary(bstr *content_type, bstr **boundary, uint64_t *multipart_flags);
+
+/**
+ * Returns the multipart structure created by the parser.
+ *
+ * @param[in] parser
+ * @return The main multipart structure.
+ */
+htp_multipart_t *htp_mpartp_get_multipart(htp_mpartp_t *parser);
+
+/**
+ * Destroys the provided parser.
+ *
+ * @param[in] parser
+ */
+void htp_mpartp_destroy(htp_mpartp_t *parser);
+
+/**
+ * Finalize parsing.
+ *
+ * @param[in] parser
+ * @returns HTP_OK on success, HTP_ERROR on failure.
+ */
+htp_status_t htp_mpartp_finalize(htp_mpartp_t *parser);
+
+/**
+ * Parses a chunk of multipart/form-data data. This function should be called
+ * as many times as necessary until all data has been consumed.
+ *
+ * @param[in] parser
+ * @param[in] data
+ * @param[in] len
+ * @return HTP_OK on success, HTP_ERROR on failure.
+ */
+htp_status_t htp_mpartp_parse(htp_mpartp_t *parser, const void *data, size_t len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _HTP_MULTIPART_H */