summaryrefslogtreecommitdiffstats
path: root/htp/htp_util.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:40:56 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:40:56 +0000
commitc248d29056abbc1fc4c5dc178bab48fb8d2c1fcb (patch)
tree4a13fc30604509224504e1911bc976e5df7bdf05 /htp/htp_util.c
parentInitial commit. (diff)
downloadlibhtp-upstream/1%0.5.47.tar.xz
libhtp-upstream/1%0.5.47.zip
Adding upstream version 1:0.5.47.upstream/1%0.5.47
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'htp/htp_util.c')
-rw-r--r--htp/htp_util.c2602
1 files changed, 2602 insertions, 0 deletions
diff --git a/htp/htp_util.c b/htp/htp_util.c
new file mode 100644
index 0000000..936e22b
--- /dev/null
+++ b/htp/htp_util.c
@@ -0,0 +1,2602 @@
+/***************************************************************************
+ * Copyright (c) 2009-2010 Open Information Security Foundation
+ * Copyright (c) 2010-2013 Qualys, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+
+ * - Neither the name of the Qualys, Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ ***************************************************************************/
+
+/**
+ * @file
+ * @author Ivan Ristic <ivanr@webkreator.com>
+ */
+
+#include "htp_config_auto.h"
+
+//inet_pton
+#if _WIN32
+#include <ws2tcpip.h>
+#else // mac, linux, freebsd
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#endif
+
+#include "htp_private.h"
+
+/**
+ * Is character a linear white space character?
+ *
+ * @param[in] c
+ * @return 0 or 1
+ */
+int htp_is_lws(int c) {
+ if ((c == ' ') || (c == '\t')) return 1;
+ else return 0;
+}
+
+/**
+ * Is character a separator character?
+ *
+ * @param[in] c
+ * @return 0 or 1
+ */
+int htp_is_separator(int c) {
+ /* separators = "(" | ")" | "<" | ">" | "@"
+ | "," | ";" | ":" | "\" | <">
+ | "/" | "[" | "]" | "?" | "="
+ | "{" | "}" | SP | HT */
+ switch (c) {
+ case '(':
+ case ')':
+ case '<':
+ case '>':
+ case '@':
+ case ',':
+ case ';':
+ case ':':
+ case '\\':
+ case '"':
+ case '/':
+ case '[':
+ case ']':
+ case '?':
+ case '=':
+ case '{':
+ case '}':
+ case ' ':
+ case '\t':
+ return 1;
+ break;
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Is character a text character?
+ *
+ * @param[in] c
+ * @return 0 or 1
+ */
+int htp_is_text(int c) {
+ if (c == '\t') return 1;
+ if (c < 32) return 0;
+ return 1;
+}
+
+/**
+ * Is character a token character?
+ *
+ * @param[in] c
+ * @return 0 or 1
+ */
+int htp_is_token(int c) {
+ /* token = 1*<any CHAR except CTLs or separators> */
+ /* CHAR = <any US-ASCII character (octets 0 - 127)> */
+ if ((c < 32) || (c > 126)) return 0;
+ if (htp_is_separator(c)) return 0;
+ return 1;
+}
+
+/**
+ * Remove all line terminators (LF, CR or CRLF) from
+ * the end of the line provided as input.
+ *
+ * @return 0 if nothing was removed, 1 if one or more LF characters were removed, or
+ * 2 if one or more CR and/or LF characters were removed.
+ */
+int htp_chomp(unsigned char *data, size_t *len) {
+ int r = 0;
+
+ // Loop until there's no more stuff in the buffer
+ while (*len > 0) {
+ // Try one LF first
+ if (data[*len - 1] == LF) {
+ (*len)--;
+ r = 1;
+
+ if (*len == 0) return r;
+
+ // A CR is allowed before LF
+ if (data[*len - 1] == CR) {
+ (*len)--;
+ r = 2;
+ }
+ } else if (data[*len - 1] == CR) {
+ (*len)--;
+ r = 1;
+ } else return r;
+ }
+
+ return r;
+}
+
+/**
+ * Is character a white space character?
+ *
+ * @param[in] c
+ * @return 0 or 1
+ */
+int htp_is_space(int c) {
+ switch (c) {
+ case ' ':
+ case '\f':
+ case '\v':
+ case '\t':
+ case '\r':
+ case '\n':
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Converts request method, given as a string, into a number.
+ *
+ * @param[in] method
+ * @return Method number of M_UNKNOWN
+ */
+int htp_convert_method_to_number(bstr *method) {
+ if (method == NULL) return HTP_M_UNKNOWN;
+
+ // TODO Optimize using parallel matching, or something similar.
+
+ if (bstr_cmp_c(method, "GET") == 0) return HTP_M_GET;
+ if (bstr_cmp_c(method, "PUT") == 0) return HTP_M_PUT;
+ if (bstr_cmp_c(method, "POST") == 0) return HTP_M_POST;
+ if (bstr_cmp_c(method, "DELETE") == 0) return HTP_M_DELETE;
+ if (bstr_cmp_c(method, "CONNECT") == 0) return HTP_M_CONNECT;
+ if (bstr_cmp_c(method, "OPTIONS") == 0) return HTP_M_OPTIONS;
+ if (bstr_cmp_c(method, "TRACE") == 0) return HTP_M_TRACE;
+ if (bstr_cmp_c(method, "PATCH") == 0) return HTP_M_PATCH;
+ if (bstr_cmp_c(method, "PROPFIND") == 0) return HTP_M_PROPFIND;
+ if (bstr_cmp_c(method, "PROPPATCH") == 0) return HTP_M_PROPPATCH;
+ if (bstr_cmp_c(method, "MKCOL") == 0) return HTP_M_MKCOL;
+ if (bstr_cmp_c(method, "COPY") == 0) return HTP_M_COPY;
+ if (bstr_cmp_c(method, "MOVE") == 0) return HTP_M_MOVE;
+ if (bstr_cmp_c(method, "LOCK") == 0) return HTP_M_LOCK;
+ if (bstr_cmp_c(method, "UNLOCK") == 0) return HTP_M_UNLOCK;
+ if (bstr_cmp_c(method, "VERSION-CONTROL") == 0) return HTP_M_VERSION_CONTROL;
+ if (bstr_cmp_c(method, "CHECKOUT") == 0) return HTP_M_CHECKOUT;
+ if (bstr_cmp_c(method, "UNCHECKOUT") == 0) return HTP_M_UNCHECKOUT;
+ if (bstr_cmp_c(method, "CHECKIN") == 0) return HTP_M_CHECKIN;
+ if (bstr_cmp_c(method, "UPDATE") == 0) return HTP_M_UPDATE;
+ if (bstr_cmp_c(method, "LABEL") == 0) return HTP_M_LABEL;
+ if (bstr_cmp_c(method, "REPORT") == 0) return HTP_M_REPORT;
+ if (bstr_cmp_c(method, "MKWORKSPACE") == 0) return HTP_M_MKWORKSPACE;
+ if (bstr_cmp_c(method, "MKACTIVITY") == 0) return HTP_M_MKACTIVITY;
+ if (bstr_cmp_c(method, "BASELINE-CONTROL") == 0) return HTP_M_BASELINE_CONTROL;
+ if (bstr_cmp_c(method, "MERGE") == 0) return HTP_M_MERGE;
+ if (bstr_cmp_c(method, "INVALID") == 0) return HTP_M_INVALID;
+ if (bstr_cmp_c(method, "HEAD") == 0) return HTP_M_HEAD;
+
+ return HTP_M_UNKNOWN;
+}
+
+/**
+ * Is the given line empty?
+ *
+ * @param[in] data
+ * @param[in] len
+ * @return 0 or 1
+ */
+int htp_is_line_empty(unsigned char *data, size_t len) {
+ if (((len == 1) && ((data[0] == CR) || (data[0] == LF))) ||
+ ((len == 2) && (data[0] == CR) && (data[1] == LF))) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/**
+ * Does line consist entirely of whitespace characters?
+ *
+ * @param[in] data
+ * @param[in] len
+ * @return 0 or 1
+ */
+int htp_is_line_whitespace(unsigned char *data, size_t len) {
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ if (!isspace(data[i])) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+/**
+ * Parses Content-Length string (positive decimal number).
+ * White space is allowed before and after the number.
+ *
+ * @param[in] b
+ * @return Content-Length as a number, or -1 on error.
+ */
+int64_t htp_parse_content_length(bstr *b, htp_connp_t *connp) {
+ size_t len = bstr_len(b);
+ unsigned char * data = (unsigned char *) bstr_ptr(b);
+ size_t pos = 0;
+ int64_t r = 0;
+
+ if (len == 0) return -1003;
+
+ // Ignore junk before
+ while ((pos < len) && (data[pos] < '0' || data[pos] > '9')) {
+ if (!htp_is_lws(data[pos]) && connp != NULL && r == 0) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0,
+ "C-L value with extra data in the beginning");
+ r = -1;
+ }
+ pos++;
+ }
+ if (pos == len) return -1001;
+
+ r = bstr_util_mem_to_pint(data + pos, len - pos, 10, &pos);
+ // Ok to have junk afterwards
+ if (pos < len && connp != NULL) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0,
+ "C-L value with extra data in the end");
+ }
+ return r;
+}
+
+/**
+ * Parses chunk length (positive hexadecimal number). White space is allowed before
+ * and after the number. An error will be returned if the chunk length is greater than
+ * INT32_MAX.
+ *
+ * @param[in] data
+ * @param[in] len
+ * @return Chunk length, or a negative number on error.
+ */
+int64_t htp_parse_chunked_length(unsigned char *data, size_t len, int *extension) {
+ // skip leading line feeds and other control chars
+ while (len) {
+ unsigned char c = *data;
+ if (!(c == 0x0d || c == 0x0a || c == 0x20 || c == 0x09 || c == 0x0b || c == 0x0c))
+ break;
+ data++;
+ len--;
+ }
+ if (len == 0)
+ return -1004;
+
+ // find how much of the data is correctly formatted
+ size_t i = 0;
+ while (i < len) {
+ unsigned char c = data[i];
+ if (!(isdigit(c) ||
+ (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')))
+ break;
+ i++;
+ }
+ // cut off trailing junk
+ if (i != len) {
+ if (extension) {
+ size_t j = i;
+ while (j < len) {
+ if (data[j] == ';') {
+ *extension = 1;
+ break;
+ }
+ j++;
+ }
+ }
+ len = i;
+ }
+
+ int64_t chunk_len = htp_parse_positive_integer_whitespace(data, len, 16);
+ if (chunk_len < 0) return chunk_len;
+ if (chunk_len > INT32_MAX) return -1;
+ return chunk_len;
+}
+
+/**
+ * A somewhat forgiving parser for a positive integer in a given base.
+ * Only LWS is allowed before and after the number.
+ *
+ * @param[in] data
+ * @param[in] len
+ * @param[in] base
+ * @return The parsed number on success; a negative number on error.
+ */
+int64_t htp_parse_positive_integer_whitespace(unsigned char *data, size_t len, int base) {
+ if (len == 0) return -1003;
+
+ size_t last_pos;
+ size_t pos = 0;
+
+ // Ignore LWS before
+ while ((pos < len) && (htp_is_lws(data[pos]))) pos++;
+ if (pos == len) return -1001;
+
+ int64_t r = bstr_util_mem_to_pint(data + pos, len - pos, base, &last_pos);
+ if (r < 0) return r;
+
+ // Move after the last digit
+ pos += last_pos;
+
+ // Ignore LWS after
+ while (pos < len) {
+ if (!htp_is_lws(data[pos])) {
+ return -1002;
+ }
+
+ pos++;
+ }
+
+ return r;
+}
+
+#ifdef HTP_DEBUG
+
+/**
+ * Prints one log message to stderr.
+ *
+ * @param[in] stream
+ * @param[in] log
+ */
+void htp_print_log(FILE *stream, htp_log_t *log) {
+ if (log->code != 0) {
+ fprintf(stream, "[%d][code %d][file %s][line %d] %s\n", log->level,
+ log->code, log->file, log->line, log->msg);
+ } else {
+ fprintf(stream, "[%d][file %s][line %d] %s\n", log->level,
+ log->file, log->line, log->msg);
+ }
+}
+#endif
+
+/**
+ * Records one log message.
+ *
+ * @param[in] connp
+ * @param[in] file
+ * @param[in] line
+ * @param[in] level
+ * @param[in] code
+ * @param[in] fmt
+ */
+void htp_log(htp_connp_t *connp, const char *file, int line, enum htp_log_level_t level, int code, const char *fmt, ...) {
+ if (connp == NULL) return;
+
+ char buf[1024];
+ va_list args;
+
+ // Ignore messages below our log level.
+ if (connp->cfg->log_level < level) {
+ return;
+ }
+
+ va_start(args, fmt);
+
+ int r = vsnprintf(buf, 1024, fmt, args);
+
+ va_end(args);
+
+ if (r < 0) {
+ snprintf(buf, 1024, "[vnsprintf returned error %d]", r);
+ } else if (r >= 1024) {
+ // Indicate overflow with a '+' at the end.
+ buf[1022] = '+';
+ buf[1023] = '\0';
+ }
+
+ // Create a new log entry.
+
+ htp_log_t *log = calloc(1, sizeof (htp_log_t));
+ if (log == NULL) return;
+
+ log->connp = connp;
+ log->file = file;
+ log->line = line;
+ log->level = level;
+ log->code = code;
+ log->msg = strdup(buf);
+
+ if (htp_list_add(connp->conn->messages, log) != HTP_OK) {
+ free((void *) log->msg);
+ free(log);
+ return;
+ }
+
+ if (level == HTP_LOG_ERROR) {
+ connp->last_error = log;
+ }
+
+ #ifdef HTP_DEBUG
+ fprintf(stderr, "[LOG] %s\n", log->msg);
+ #endif
+
+ /* coverity[check_return] */
+ htp_hook_run_all(connp->cfg->hook_log, log);
+}
+
+/**
+ * Determines if the given line is a continuation (of some previous line).
+ *
+ * @param[in] data
+ * @param[in] len
+ * @return 0 or 1 for false and true, respectively. Returns -1 on error (NULL pointer or length zero).
+ */
+int htp_connp_is_line_folded(unsigned char *data, size_t len) {
+ if ((data == NULL) || (len == 0)) return -1;
+ return htp_is_folding_char(data[0]);
+}
+
+int htp_is_folding_char(int c) {
+ if (htp_is_lws(c) || c == 0) return 1;
+ else return 0;
+}
+
+/**
+ * Determines if the given line is a request terminator.
+ *
+ * @param[in] connp
+ * @param[in] data
+ * @param[in] len
+ * @return 0 or 1
+ */
+int htp_connp_is_line_terminator(htp_connp_t *connp, unsigned char *data, size_t len, int next_no_lf) {
+ // Is this the end of request headers?
+ switch (connp->cfg->server_personality) {
+ case HTP_SERVER_IIS_5_1:
+ // IIS 5 will accept a whitespace line as a terminator
+ if (htp_is_line_whitespace(data, len)) {
+ return 1;
+ }
+
+ // Fall through
+ default:
+ // Treat an empty line as terminator
+ if (htp_is_line_empty(data, len)) {
+ return 1;
+ }
+ // Only space is terminator if terminator does not follow right away
+ if (len == 2 && htp_is_lws(data[0]) && data[1] == LF) {
+ return next_no_lf;
+ }
+ break;
+ }
+
+ return 0;
+}
+
+/**
+ * Determines if the given line can be ignored when it appears before a request.
+ *
+ * @param[in] connp
+ * @param[in] data
+ * @param[in] len
+ * @return 0 or 1
+ */
+int htp_connp_is_line_ignorable(htp_connp_t *connp, unsigned char *data, size_t len) {
+ return htp_connp_is_line_terminator(connp, data, len, 0);
+}
+
+static htp_status_t htp_parse_port(unsigned char *data, size_t len, int *port, int *invalid) {
+ if (len == 0) {
+ *port = -1;
+ *invalid = 1;
+ return HTP_OK;
+ }
+
+ int64_t port_parsed = htp_parse_positive_integer_whitespace(data, len, 10);
+
+ if (port_parsed < 0) {
+ // Failed to parse the port number.
+ *port = -1;
+ *invalid = 1;
+ } else if ((port_parsed > 0) && (port_parsed < 65536)) {
+ // Valid port number.
+ *port = (int) port_parsed;
+ } else {
+ // Port number out of range.
+ *port = -1;
+ *invalid = 1;
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Parses an authority string, which consists of a hostname with an optional port number; username
+ * and password are not allowed and will not be handled.
+ *
+ * @param[in] hostport
+ * @param[out] hostname A bstring containing the hostname, or NULL if the hostname is invalid. If this value
+ * is not NULL, the caller assumes responsibility for memory management.
+ * @param[out] port Port as text, or NULL if not provided.
+ * @param[out] port_number Port number, or -1 if the port is not present or invalid.
+ * @param[out] invalid Set to 1 if any part of the authority is invalid.
+ * @return HTP_OK on success, HTP_ERROR on memory allocation failure.
+ */
+htp_status_t htp_parse_hostport(bstr *hostport, bstr **hostname, bstr **port, int *port_number, int *invalid) {
+ if ((hostport == NULL) || (hostname == NULL) || (port_number == NULL) || (invalid == NULL)) return HTP_ERROR;
+
+ *hostname = NULL;
+ if (port != NULL) {
+ *port = NULL;
+ }
+ *port_number = -1;
+ *invalid = 0;
+
+ unsigned char *data = bstr_ptr(hostport);
+ size_t len = bstr_len(hostport);
+
+ bstr_util_mem_trim(&data, &len);
+
+ if (len == 0) {
+ *invalid = 1;
+ return HTP_OK;
+ }
+
+ // Check for an IPv6 address.
+ if (data[0] == '[') {
+ // IPv6 host.
+
+ // Find the end of the IPv6 address.
+ size_t pos = 0;
+ while ((pos < len) && (data[pos] != ']')) pos++;
+ if (pos == len) {
+ *invalid = 1;
+ return HTP_OK;
+ }
+
+ *hostname = bstr_dup_mem(data, pos + 1);
+ if (*hostname == NULL) return HTP_ERROR;
+
+ // Over the ']'.
+ pos++;
+ if (pos == len) return HTP_OK;
+
+ // Handle port.
+ if (data[pos] == ':') {
+ if (port != NULL) {
+ *port = bstr_dup_mem(data + pos + 1, len - pos - 1);
+ if (*port == NULL) {
+ bstr_free(*hostname);
+ return HTP_ERROR;
+ }
+ }
+
+ return htp_parse_port(data + pos + 1, len - pos - 1, port_number, invalid);
+ } else {
+ *invalid = 1;
+ return HTP_OK;
+ }
+ } else {
+ // Not IPv6 host.
+
+ // Is there a colon?
+ unsigned char *colon = memchr(data, ':', len);
+ if (colon == NULL) {
+ // Hostname alone, no port.
+
+ *hostname = bstr_dup_mem(data, len);
+ if (*hostname == NULL) return HTP_ERROR;
+
+ bstr_to_lowercase(*hostname);
+ } else {
+ // Hostname and port.
+
+ // Ignore whitespace at the end of hostname.
+ unsigned char *hostend = colon;
+ while ((hostend > data) && (isspace(*(hostend - 1)))) hostend--;
+
+ *hostname = bstr_dup_mem(data, hostend - data);
+ if (*hostname == NULL) return HTP_ERROR;
+
+ if (port != NULL) {
+ *port = bstr_dup_mem(colon + 1, len - (colon + 1 - data));
+ if (*port == NULL) {
+ bstr_free(*hostname);
+ return HTP_ERROR;
+ }
+ }
+
+ return htp_parse_port(colon + 1, len - (colon + 1 - data), port_number, invalid);
+ }
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Parses hostport provided in the URI.
+ *
+ * @param[in] connp
+ * @param[in] hostport
+ * @param[in] uri
+ * @return HTP_OK on success or HTP_ERROR error.
+ */
+int htp_parse_uri_hostport(htp_connp_t *connp, bstr *hostport, htp_uri_t *uri) {
+ int invalid;
+
+ htp_status_t rc = htp_parse_hostport(hostport, &(uri->hostname), &(uri->port), &(uri->port_number), &invalid);
+ if (rc != HTP_OK) return rc;
+
+ if (invalid) {
+ connp->in_tx->flags |= HTP_HOSTU_INVALID;
+ }
+
+ if (uri->hostname != NULL) {
+ if (htp_validate_hostname(uri->hostname) == 0) {
+ connp->in_tx->flags |= HTP_HOSTU_INVALID;
+ }
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Parses hostport provided in the Host header.
+ *
+ * @param[in] hostport
+ * @param[out] hostname
+ * @param[out] port
+ * @param[out] port_number
+ * @param[out] flags
+ * @return HTP_OK on success or HTP_ERROR error.
+ */
+htp_status_t htp_parse_header_hostport(bstr *hostport, bstr **hostname, bstr **port, int *port_number, uint64_t *flags) {
+ int invalid;
+
+ htp_status_t rc = htp_parse_hostport(hostport, hostname, port, port_number, &invalid);
+ if (rc != HTP_OK) return rc;
+
+ if (invalid) {
+ *flags |= HTP_HOSTH_INVALID;
+ }
+
+ if (*hostname != NULL) {
+ if (htp_validate_hostname(*hostname) == 0) {
+ *flags |= HTP_HOSTH_INVALID;
+ }
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Parses request URI, making no attempt to validate the contents.
+ *
+ * @param[in] input
+ * @param[in] uri
+ * @return HTP_ERROR on memory allocation failure, HTP_OK otherwise
+ */
+int htp_parse_uri(bstr *input, htp_uri_t **uri) {
+ // Allow a htp_uri_t structure to be provided on input,
+ // but allocate a new one if the structure is NULL.
+ if (*uri == NULL) {
+ *uri = calloc(1, sizeof (htp_uri_t));
+ if (*uri == NULL) return HTP_ERROR;
+ }
+
+ if (input == NULL) {
+ // The input might be NULL on requests that don't actually
+ // contain the URI. We allow that.
+ return HTP_OK;
+ }
+
+ unsigned char *data = bstr_ptr(input);
+ size_t len = bstr_len(input);
+ // remove trailing spaces
+ while (len > 0) {
+ if (data[len-1] != ' ') {
+ break;
+ }
+ len--;
+ }
+ size_t start, pos;
+
+ if (len == 0) {
+ // Empty string.
+ return HTP_OK;
+ }
+
+ pos = 0;
+
+ // Scheme test: if it doesn't start with a forward slash character (which it must
+ // for the contents to be a path or an authority, then it must be the scheme part
+ if (data[0] != '/') {
+ // Parse scheme
+
+ // Find the colon, which marks the end of the scheme part
+ start = pos;
+ while ((pos < len) && (data[pos] != ':')) pos++;
+
+ if (pos >= len) {
+ // We haven't found a colon, which means that the URI
+ // is invalid. Apache will ignore this problem and assume
+ // the URI contains an invalid path so, for the time being,
+ // we are going to do the same.
+ pos = 0;
+ } else {
+ // Make a copy of the scheme
+ (*uri)->scheme = bstr_dup_mem(data + start, pos - start);
+ if ((*uri)->scheme == NULL) return HTP_ERROR;
+
+ // Go over the colon
+ pos++;
+ }
+ }
+
+ // Authority test: two forward slash characters and it's an authority.
+ // One, three or more slash characters, and it's a path. We, however,
+ // only attempt to parse authority if we've seen a scheme.
+ if ((*uri)->scheme != NULL)
+ if ((pos + 2 < len) && (data[pos] == '/') && (data[pos + 1] == '/') && (data[pos + 2] != '/')) {
+ // Parse authority
+
+ // Go over the two slash characters
+ start = pos = pos + 2;
+
+ // Authority ends with a question mark, forward slash or hash
+ while ((pos < len) && (data[pos] != '?') && (data[pos] != '/') && (data[pos] != '#')) pos++;
+
+ unsigned char *hostname_start;
+ size_t hostname_len;
+
+ // Are the credentials included in the authority?
+ unsigned char *m = memchr(data + start, '@', pos - start);
+ if (m != NULL) {
+ // Credentials present
+ unsigned char *credentials_start = data + start;
+ size_t credentials_len = m - data - start;
+
+ // Figure out just the hostname part
+ hostname_start = data + start + credentials_len + 1;
+ hostname_len = pos - start - credentials_len - 1;
+
+ // Extract the username and the password
+ m = memchr(credentials_start, ':', credentials_len);
+ if (m != NULL) {
+ // Username and password
+ (*uri)->username = bstr_dup_mem(credentials_start, m - credentials_start);
+ if ((*uri)->username == NULL) return HTP_ERROR;
+ (*uri)->password = bstr_dup_mem(m + 1, credentials_len - (m - credentials_start) - 1);
+ if ((*uri)->password == NULL) return HTP_ERROR;
+ } else {
+ // Username alone
+ (*uri)->username = bstr_dup_mem(credentials_start, credentials_len);
+ if ((*uri)->username == NULL) return HTP_ERROR;
+ }
+ } else {
+ // No credentials
+ hostname_start = data + start;
+ hostname_len = pos - start;
+ }
+
+ // Parsing authority without credentials.
+ if ((hostname_len > 0) && (hostname_start[0] == '[')) {
+ // IPv6 address.
+
+ m = memchr(hostname_start, ']', hostname_len);
+ if (m == NULL) {
+ // Invalid IPv6 address; use the entire string as hostname.
+ (*uri)->hostname = bstr_dup_mem(hostname_start, hostname_len);
+ if ((*uri)->hostname == NULL) return HTP_ERROR;
+ } else {
+ (*uri)->hostname = bstr_dup_mem(hostname_start, m - hostname_start + 1);
+ if ((*uri)->hostname == NULL) return HTP_ERROR;
+
+ // Is there a port?
+ hostname_len = hostname_len - (m - hostname_start + 1);
+ hostname_start = m + 1;
+
+ // Port string
+ m = memchr(hostname_start, ':', hostname_len);
+ if (m != NULL) {
+ size_t port_len = hostname_len - (m - hostname_start) - 1;
+ (*uri)->port = bstr_dup_mem(m + 1, port_len);
+ if ((*uri)->port == NULL) return HTP_ERROR;
+ }
+ }
+ } else {
+ // Not IPv6 address.
+
+ m = memchr(hostname_start, ':', hostname_len);
+ if (m != NULL) {
+ size_t port_len = hostname_len - (m - hostname_start) - 1;
+ hostname_len = hostname_len - port_len - 1;
+
+ // Port string
+ (*uri)->port = bstr_dup_mem(m + 1, port_len);
+ if ((*uri)->port == NULL) return HTP_ERROR;
+ }
+
+ // Hostname
+ (*uri)->hostname = bstr_dup_mem(hostname_start, hostname_len);
+ if ((*uri)->hostname == NULL) return HTP_ERROR;
+ }
+ }
+
+ // Path
+ start = pos;
+
+ // The path part will end with a question mark or a hash character, which
+ // mark the beginning of the query part or the fragment part, respectively.
+ while ((pos < len) && (data[pos] != '?') && (data[pos] != '#')) pos++;
+
+ // Path
+ (*uri)->path = bstr_dup_mem(data + start, pos - start);
+ if ((*uri)->path == NULL) return HTP_ERROR;
+
+ if (pos == len) return HTP_OK;
+
+ // Query
+ if (data[pos] == '?') {
+ // Step over the question mark
+ start = pos + 1;
+
+ // The query part will end with the end of the input
+ // or the beginning of the fragment part
+ while ((pos < len) && (data[pos] != '#')) pos++;
+
+ // Query string
+ (*uri)->query = bstr_dup_mem(data + start, pos - start);
+ if ((*uri)->query == NULL) return HTP_ERROR;
+
+ if (pos == len) return HTP_OK;
+ }
+
+ // Fragment
+ if (data[pos] == '#') {
+ // Step over the hash character
+ start = pos + 1;
+
+ // Fragment; ends with the end of the input
+ (*uri)->fragment = bstr_dup_mem(data + start, len - start);
+ if ((*uri)->fragment == NULL) return HTP_ERROR;
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Convert two input bytes, pointed to by the pointer parameter,
+ * into a single byte by assuming the input consists of hexadecimal
+ * characters. This function will happily convert invalid input.
+ *
+ * @param[in] what
+ * @return hex-decoded byte
+ */
+static unsigned char x2c(unsigned char *what) {
+ register unsigned char digit;
+
+ digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A') + 10 : (what[0] - '0'));
+ digit *= 16;
+ digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A') + 10 : (what[1] - '0'));
+
+ return digit;
+}
+
+/**
+ * Convert a Unicode codepoint into a single-byte, using best-fit
+ * mapping (as specified in the provided configuration structure).
+ *
+ * @param[in] cfg
+ * @param[in] codepoint
+ * @return converted single byte
+ */
+static uint8_t bestfit_codepoint(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, uint32_t codepoint) {
+ // Is it a single-byte codepoint?
+ if (codepoint < 0x100) {
+ return (uint8_t) codepoint;
+ }
+
+ // Our current implementation converts only the 2-byte codepoints.
+ if (codepoint > 0xffff) {
+ return cfg->decoder_cfgs[ctx].bestfit_replacement_byte;
+ }
+
+ uint8_t *p = cfg->decoder_cfgs[ctx].bestfit_map;
+
+ // TODO Optimize lookup.
+
+ for (;;) {
+ uint32_t x = (p[0] << 8) + p[1];
+
+ if (x == 0) {
+ return cfg->decoder_cfgs[ctx].bestfit_replacement_byte;
+ }
+
+ if (x == codepoint) {
+ return p[2];
+ }
+
+ // Move to the next triplet
+ p += 3;
+ }
+}
+
+/**
+ * Decode a UTF-8 encoded path. Overlong characters will be decoded, invalid
+ * characters will be left as-is. Best-fit mapping will be used to convert
+ * UTF-8 into a single-byte stream.
+ *
+ * @param[in] cfg
+ * @param[in] tx
+ * @param[in] path
+ */
+void htp_utf8_decode_path_inplace(htp_cfg_t *cfg, htp_tx_t *tx, bstr *path) {
+ if (path == NULL) return;
+
+ uint8_t *data = bstr_ptr(path);
+ if (data == NULL) return;
+
+ size_t len = bstr_len(path);
+ size_t rpos = 0;
+ size_t wpos = 0;
+ uint32_t codepoint = 0;
+ uint32_t state = HTP_UTF8_ACCEPT;
+ uint32_t counter = 0;
+ uint8_t seen_valid = 0;
+
+ while ((rpos < len)&&(wpos < len)) {
+ counter++;
+
+ switch (htp_utf8_decode_allow_overlong(&state, &codepoint, data[rpos])) {
+ case HTP_UTF8_ACCEPT:
+ if (counter == 1) {
+ // ASCII character, which we just copy.
+ data[wpos++] = (uint8_t) codepoint;
+ } else {
+ // A valid UTF-8 character, which we need to convert.
+
+ seen_valid = 1;
+
+ // Check for overlong characters and set the flag accordingly.
+ switch (counter) {
+ case 2:
+ if (codepoint < 0x80) {
+ tx->flags |= HTP_PATH_UTF8_OVERLONG;
+ }
+ break;
+ case 3:
+ if (codepoint < 0x800) {
+ tx->flags |= HTP_PATH_UTF8_OVERLONG;
+ }
+ break;
+ case 4:
+ if (codepoint < 0x10000) {
+ tx->flags |= HTP_PATH_UTF8_OVERLONG;
+ }
+ break;
+ }
+
+ // Special flag for half-width/full-width evasion.
+ if ((codepoint >= 0xff00) && (codepoint <= 0xffef)) {
+ tx->flags |= HTP_PATH_HALF_FULL_RANGE;
+ }
+
+ // Use best-fit mapping to convert to a single byte.
+ data[wpos++] = bestfit_codepoint(cfg, HTP_DECODER_URL_PATH, codepoint);
+ }
+
+ // Advance over the consumed byte and reset the byte counter.
+ rpos++;
+ counter = 0;
+
+ break;
+
+ case HTP_UTF8_REJECT:
+ // Invalid UTF-8 character.
+
+ tx->flags |= HTP_PATH_UTF8_INVALID;
+
+ // Is the server expected to respond with 400?
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].utf8_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].utf8_invalid_unwanted;
+ }
+
+ // Output the replacement byte, replacing one or more invalid bytes.
+ data[wpos++] = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].bestfit_replacement_byte;
+
+ // If the invalid byte was first in a sequence, consume it. Otherwise,
+ // assume it's the starting byte of the next character.
+ if (counter == 1) {
+ rpos++;
+ }
+
+ // Reset the decoder state and continue decoding.
+ state = HTP_UTF8_ACCEPT;
+ codepoint = 0;
+ counter = 0;
+
+ break;
+
+ default:
+ // Keep going; the character is not yet formed.
+ rpos++;
+ break;
+ }
+ }
+
+ // Did the input stream seem like a valid UTF-8 string?
+ if ((seen_valid) && (!(tx->flags & HTP_PATH_UTF8_INVALID))) {
+ tx->flags |= HTP_PATH_UTF8_VALID;
+ }
+
+ // Adjust the length of the string, because
+ // we're doing in-place decoding.
+ bstr_adjust_len(path, wpos);
+}
+
+/**
+ * Validate a path that is quite possibly UTF-8 encoded.
+ *
+ * @param[in] tx
+ * @param[in] path
+ */
+void htp_utf8_validate_path(htp_tx_t *tx, bstr *path) {
+ unsigned char *data = bstr_ptr(path);
+ size_t len = bstr_len(path);
+ size_t rpos = 0;
+ uint32_t codepoint = 0;
+ uint32_t state = HTP_UTF8_ACCEPT;
+ uint32_t counter = 0; // How many bytes used by a UTF-8 character.
+ uint8_t seen_valid = 0;
+
+ while (rpos < len) {
+ counter++;
+
+ switch (htp_utf8_decode_allow_overlong(&state, &codepoint, data[rpos])) {
+ case HTP_UTF8_ACCEPT:
+ // We have a valid character.
+
+ if (counter > 1) {
+ // A valid UTF-8 character, consisting of 2 or more bytes.
+
+ seen_valid = 1;
+
+ // Check for overlong characters and set the flag accordingly.
+ switch (counter) {
+ case 2:
+ if (codepoint < 0x80) {
+ tx->flags |= HTP_PATH_UTF8_OVERLONG;
+ }
+ break;
+ case 3:
+ if (codepoint < 0x800) {
+ tx->flags |= HTP_PATH_UTF8_OVERLONG;
+ }
+ break;
+ case 4:
+ if (codepoint < 0x10000) {
+ tx->flags |= HTP_PATH_UTF8_OVERLONG;
+ }
+ break;
+ }
+ }
+
+ // Special flag for half-width/full-width evasion.
+ if ((codepoint > 0xfeff) && (codepoint < 0x010000)) {
+ tx->flags |= HTP_PATH_HALF_FULL_RANGE;
+ }
+
+ // Advance over the consumed byte and reset the byte counter.
+ rpos++;
+ counter = 0;
+
+ break;
+
+ case HTP_UTF8_REJECT:
+ // Invalid UTF-8 character.
+
+ tx->flags |= HTP_PATH_UTF8_INVALID;
+
+ // Override the decoder state because we want to continue decoding.
+ state = HTP_UTF8_ACCEPT;
+
+ // Advance over the consumed byte and reset the byte counter.
+ rpos++;
+ counter = 0;
+
+ break;
+
+ default:
+ // Keep going; the character is not yet formed.
+ rpos++;
+ break;
+ }
+ }
+
+ // Did the input stream seem like a valid UTF-8 string?
+ if ((seen_valid) && (!(tx->flags & HTP_PATH_UTF8_INVALID))) {
+ tx->flags |= HTP_PATH_UTF8_VALID;
+ }
+}
+
+/**
+ * Decode a %u-encoded character, using best-fit mapping as necessary. Path version.
+ *
+ * @param[in] cfg
+ * @param[in] tx
+ * @param[in] data
+ * @return decoded byte
+ */
+static uint8_t decode_u_encoding_path(htp_cfg_t *cfg, htp_tx_t *tx, unsigned char *data) {
+ uint8_t c1 = x2c(data);
+ uint8_t c2 = x2c(data + 2);
+ uint8_t r = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].bestfit_replacement_byte;
+
+ if (c1 == 0x00) {
+ r = c2;
+ tx->flags |= HTP_PATH_OVERLONG_U;
+ } else {
+ // Check for fullwidth form evasion
+ if (c1 == 0xff) {
+ tx->flags |= HTP_PATH_HALF_FULL_RANGE;
+ }
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].u_encoding_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].u_encoding_unwanted;
+ }
+
+ // Use best-fit mapping
+ unsigned char *p = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].bestfit_map;
+
+ // TODO Optimize lookup.
+
+ for (;;) {
+ // Have we reached the end of the map?
+ if ((p[0] == 0) && (p[1] == 0)) {
+ break;
+ }
+
+ // Have we found the mapping we're looking for?
+ if ((p[0] == c1) && (p[1] == c2)) {
+ r = p[2];
+ break;
+ }
+
+ // Move to the next triplet
+ p += 3;
+ }
+ }
+
+ // Check for encoded path separators
+ if ((r == '/') || ((cfg->decoder_cfgs[HTP_DECODER_URL_PATH].backslash_convert_slashes) && (r == '\\'))) {
+ tx->flags |= HTP_PATH_ENCODED_SEPARATOR;
+ }
+
+ return r;
+}
+
+/**
+ * Decode a %u-encoded character, using best-fit mapping as necessary. Params version.
+ *
+ * @param[in] cfg
+ * @param[in] tx
+ * @param[in] data
+ * @return decoded byte
+ */
+static uint8_t decode_u_encoding_params(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, unsigned char *data, uint64_t *flags) {
+ uint8_t c1 = x2c(data);
+ uint8_t c2 = x2c(data + 2);
+
+ // Check for overlong usage first.
+ if (c1 == 0) {
+ (*flags) |= HTP_URLEN_OVERLONG_U;
+ return c2;
+ }
+
+ // Both bytes were used.
+
+ // Detect half-width and full-width range.
+ if ((c1 == 0xff) && (c2 <= 0xef)) {
+ (*flags) |= HTP_URLEN_HALF_FULL_RANGE;
+ }
+
+ // Use best-fit mapping.
+ unsigned char *p = cfg->decoder_cfgs[ctx].bestfit_map;
+ uint8_t r = cfg->decoder_cfgs[ctx].bestfit_replacement_byte;
+
+ // TODO Optimize lookup.
+
+ for (;;) {
+ // Have we reached the end of the map?
+ if ((p[0] == 0) && (p[1] == 0)) {
+ break;
+ }
+
+ // Have we found the mapping we're looking for?
+ if ((p[0] == c1) && (p[1] == c2)) {
+ r = p[2];
+ break;
+ }
+
+ // Move to the next triplet
+ p += 3;
+ }
+
+ return r;
+}
+
+/**
+ * Decode a request path according to the settings in the
+ * provided configuration structure.
+ *
+ * @param[in] cfg
+ * @param[in] tx
+ * @param[in] path
+ */
+htp_status_t htp_decode_path_inplace(htp_tx_t *tx, bstr *path) {
+ if (path == NULL) return HTP_ERROR;
+ unsigned char *data = bstr_ptr(path);
+ if (data == NULL) return HTP_ERROR;
+
+ size_t len = bstr_len(path);
+
+ htp_cfg_t *cfg = tx->cfg;
+
+ size_t rpos = 0;
+ size_t wpos = 0;
+ int previous_was_separator = 0;
+
+ while ((rpos < len) && (wpos < len)) {
+ uint8_t c = data[rpos];
+
+ // Decode encoded characters
+ if (c == '%') {
+ if (rpos + 2 < len) {
+ int handled = 0;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].u_encoding_decode) {
+ // Check for the %u encoding
+ if ((data[rpos + 1] == 'u') || (data[rpos + 1] == 'U')) {
+ handled = 1;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].u_encoding_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].u_encoding_unwanted;
+ }
+
+ if (rpos + 5 < len) {
+ if (isxdigit(data[rpos + 2]) && (isxdigit(data[rpos + 3]))
+ && isxdigit(data[rpos + 4]) && (isxdigit(data[rpos + 5]))) {
+ // Decode a valid %u encoding
+ c = decode_u_encoding_path(cfg, tx, &data[rpos + 2]);
+ rpos += 6;
+
+ if (c == 0) {
+ tx->flags |= HTP_PATH_ENCODED_NUL;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_encoded_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_encoded_unwanted;
+ }
+ }
+ } else {
+ // Invalid %u encoding
+ tx->flags |= HTP_PATH_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; eat
+ // the percent character
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the percent character in output
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Decode invalid %u encoding
+ c = decode_u_encoding_path(cfg, tx, &data[rpos + 2]);
+ rpos += 6;
+ break;
+ }
+ }
+ } else {
+ // Invalid %u encoding (not enough data)
+ tx->flags |= HTP_PATH_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; eat
+ // the percent character
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the percent character in output
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Cannot decode, because there's not enough data.
+ // Leave the percent character in output
+ rpos++;
+ // TODO Configurable handling.
+ break;
+ }
+ }
+ }
+ }
+
+ // Handle standard URL encoding
+ if (!handled) {
+ if ((isxdigit(data[rpos + 1])) && (isxdigit(data[rpos + 2]))) {
+ c = x2c(&data[rpos + 1]);
+
+ if (c == 0) {
+ tx->flags |= HTP_PATH_ENCODED_NUL;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_encoded_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_encoded_unwanted;
+ }
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_encoded_terminates) {
+ bstr_adjust_len(path, wpos);
+ return HTP_OK;
+ }
+ }
+
+ if ((c == '/') || ((cfg->decoder_cfgs[HTP_DECODER_URL_PATH].backslash_convert_slashes) && (c == '\\'))) {
+ tx->flags |= HTP_PATH_ENCODED_SEPARATOR;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].path_separators_encoded_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].path_separators_encoded_unwanted;
+ }
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].path_separators_decode) {
+ // Decode
+ rpos += 3;
+ } else {
+ // Leave encoded
+ c = '%';
+ rpos++;
+ }
+ } else {
+ // Decode
+ rpos += 3;
+ }
+ } else {
+ // Invalid encoding
+ tx->flags |= HTP_PATH_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; eat
+ // the percent character
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the percent character in output
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Decode
+ c = x2c(&data[rpos + 1]);
+ rpos += 3;
+ // Note: What if an invalid encoding decodes into a path
+ // separator? This is theoretical at the moment, because
+ // the only platform we know doesn't convert separators is
+ // Apache, who will also respond with 400 if invalid encoding
+ // is encountered. Thus no check for a separator here.
+ break;
+ default:
+ // Unknown setting
+ return HTP_ERROR;
+ break;
+ }
+ }
+ }
+ } else {
+ // Invalid URL encoding (not enough data)
+ tx->flags |= HTP_PATH_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; eat
+ // the percent character
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the percent character in output
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Cannot decode, because there's not enough data.
+ // Leave the percent character in output.
+ // TODO Configurable handling.
+ rpos++;
+ break;
+ }
+ }
+ } else {
+ // One non-encoded character
+
+ // Is it a NUL byte?
+ if (c == 0) {
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_raw_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_raw_unwanted;
+ }
+
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].nul_raw_terminates) {
+ // Terminate path with a raw NUL byte
+ bstr_adjust_len(path, wpos);
+ return HTP_OK;
+ break;
+ }
+ }
+
+ rpos++;
+ }
+
+ // Place the character into output
+
+ // Check for control characters
+ if (c < 0x20) {
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].control_chars_unwanted != HTP_UNWANTED_IGNORE) {
+ tx->response_status_expected_number = cfg->decoder_cfgs[HTP_DECODER_URL_PATH].control_chars_unwanted;
+ }
+ }
+
+ // Convert backslashes to forward slashes, if necessary
+ if ((c == '\\') && (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].backslash_convert_slashes)) {
+ c = '/';
+ }
+
+ // Lowercase characters, if necessary
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].convert_lowercase) {
+ c = (uint8_t) tolower(c);
+ }
+
+ // If we're compressing separators then we need
+ // to track if the previous character was a separator
+ if (cfg->decoder_cfgs[HTP_DECODER_URL_PATH].path_separators_compress) {
+ if (c == '/') {
+ if (!previous_was_separator) {
+ data[wpos++] = c;
+ previous_was_separator = 1;
+ } else {
+ // Do nothing; we don't want
+ // another separator in output
+ }
+ } else {
+ data[wpos++] = c;
+ previous_was_separator = 0;
+ }
+ } else {
+ data[wpos++] = c;
+ }
+ }
+
+ bstr_adjust_len(path, wpos);
+
+ return HTP_OK;
+}
+
+htp_status_t htp_tx_urldecode_uri_inplace(htp_tx_t *tx, bstr *input) {
+ uint64_t flags = 0;
+
+ htp_status_t rc = htp_urldecode_inplace_ex(tx->cfg, HTP_DECODER_URL_PATH, input, &flags, &(tx->response_status_expected_number));
+
+ if (flags & HTP_URLEN_INVALID_ENCODING) {
+ tx->flags |= HTP_PATH_INVALID_ENCODING;
+ }
+
+ if (flags & HTP_URLEN_ENCODED_NUL) {
+ tx->flags |= HTP_PATH_ENCODED_NUL;
+ }
+
+ if (flags & HTP_URLEN_RAW_NUL) {
+ tx->flags |= HTP_PATH_RAW_NUL;
+ }
+
+ return rc;
+}
+
+htp_status_t htp_tx_urldecode_params_inplace(htp_tx_t *tx, bstr *input) {
+ return htp_urldecode_inplace_ex(tx->cfg, HTP_DECODER_URLENCODED, input, &(tx->flags), &(tx->response_status_expected_number));
+}
+
+htp_status_t htp_urldecode_inplace(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags) {
+ int expected_status_code = 0;
+ return htp_urldecode_inplace_ex(cfg, ctx, input, flags, &expected_status_code);
+}
+
+htp_status_t htp_urldecode_inplace_ex(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags, int *expected_status_code) {
+ if (input == NULL) return HTP_ERROR;
+
+ unsigned char *data = bstr_ptr(input);
+ if (data == NULL) return HTP_ERROR;
+ size_t len = bstr_len(input);
+
+ size_t rpos = 0;
+ size_t wpos = 0;
+
+ while ((rpos < len) && (wpos < len)) {
+ uint8_t c = data[rpos];
+
+ // Decode encoded characters.
+ if (c == '%') {
+ // Need at least 2 additional bytes for %HH.
+ if (rpos + 2 < len) {
+ int handled = 0;
+
+ // Decode %uHHHH encoding, but only if allowed in configuration.
+ if (cfg->decoder_cfgs[ctx].u_encoding_decode) {
+ // The next character must be a case-insensitive u.
+ if ((data[rpos + 1] == 'u') || (data[rpos + 1] == 'U')) {
+ handled = 1;
+
+ if (cfg->decoder_cfgs[ctx].u_encoding_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].u_encoding_unwanted;
+ }
+
+ // Need at least 5 additional bytes for %uHHHH.
+ if (rpos + 5 < len) {
+ if (isxdigit(data[rpos + 2]) && (isxdigit(data[rpos + 3]))
+ && isxdigit(data[rpos + 4]) && (isxdigit(data[rpos + 5]))) {
+ // Decode a valid %u encoding.
+ c = decode_u_encoding_params(cfg, ctx, &(data[rpos + 2]), flags);
+ rpos += 6;
+ } else {
+ // Invalid %u encoding (could not find 4 xdigits).
+ (*flags) |= HTP_URLEN_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[ctx].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; consume the %.
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the % in output.
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Decode invalid %u encoding.
+ c = decode_u_encoding_params(cfg, ctx, &(data[rpos + 2]), flags);
+ rpos += 6;
+ break;
+ }
+ }
+ } else {
+ // Invalid %u encoding; not enough data.
+ (*flags) |= HTP_URLEN_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[ctx].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; consume the %.
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the % in output.
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Cannot decode because there's not enough data.
+ // Leave the % in output.
+ // TODO Configurable handling of %, u, etc.
+ rpos++;
+ break;
+ }
+ }
+ }
+ }
+
+ // Handle standard URL encoding.
+ if (!handled) {
+ // Need 2 hexadecimal digits.
+ if ((isxdigit(data[rpos + 1])) && (isxdigit(data[rpos + 2]))) {
+ // Decode %HH encoding.
+ c = x2c(&(data[rpos + 1]));
+ rpos += 3;
+ } else {
+ // Invalid encoding (enough bytes, but not hexadecimal digits).
+ (*flags) |= HTP_URLEN_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[ctx].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; consume the %.
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the % in output.
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Decode.
+ c = x2c(&(data[rpos + 1]));
+ rpos += 3;
+ break;
+ }
+ }
+ }
+ } else {
+ // Invalid encoding; not enough data (at least 2 bytes required).
+ (*flags) |= HTP_URLEN_INVALID_ENCODING;
+
+ if (cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].url_encoding_invalid_unwanted;
+ }
+
+ switch (cfg->decoder_cfgs[ctx].url_encoding_invalid_handling) {
+ case HTP_URL_DECODE_REMOVE_PERCENT:
+ // Do not place anything in output; consume the %.
+ rpos++;
+ continue;
+ break;
+ case HTP_URL_DECODE_PRESERVE_PERCENT:
+ // Leave the % in output.
+ rpos++;
+ break;
+ case HTP_URL_DECODE_PROCESS_INVALID:
+ // Cannot decode because there's not enough data.
+ // Leave the % in output.
+ // TODO Configurable handling of %, etc.
+ rpos++;
+ break;
+ }
+ }
+
+ // Did we get an encoded NUL byte?
+ if (c == 0) {
+ if (cfg->decoder_cfgs[ctx].nul_encoded_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].nul_encoded_unwanted;
+ }
+
+ (*flags) |= HTP_URLEN_ENCODED_NUL;
+
+ if (cfg->decoder_cfgs[ctx].nul_encoded_terminates) {
+ // Terminate the path at the raw NUL byte.
+ bstr_adjust_len(input, wpos);
+ return 1;
+ }
+ }
+
+ data[wpos++] = c;
+ } else if (c == '+') {
+ // Decoding of the plus character is conditional on the configuration.
+
+ if (cfg->decoder_cfgs[ctx].plusspace_decode) {
+ c = 0x20;
+ }
+
+ rpos++;
+ data[wpos++] = c;
+ } else {
+ // One non-encoded byte.
+
+ // Did we get a raw NUL byte?
+ if (c == 0) {
+ if (cfg->decoder_cfgs[ctx].nul_raw_unwanted != HTP_UNWANTED_IGNORE) {
+ (*expected_status_code) = cfg->decoder_cfgs[ctx].nul_raw_unwanted;
+ }
+
+ (*flags) |= HTP_URLEN_RAW_NUL;
+
+ if (cfg->decoder_cfgs[ctx].nul_raw_terminates) {
+ // Terminate the path at the encoded NUL byte.
+ bstr_adjust_len(input, wpos);
+ return HTP_OK;
+ }
+ }
+
+ rpos++;
+ data[wpos++] = c;
+ }
+ }
+
+ bstr_adjust_len(input, wpos);
+
+ return HTP_OK;
+}
+
+/**
+ * Normalize a previously-parsed request URI.
+ *
+ * @param[in] connp
+ * @param[in] incomplete
+ * @param[in] normalized
+ * @return HTP_OK or HTP_ERROR
+ */
+int htp_normalize_parsed_uri(htp_tx_t *tx, htp_uri_t *incomplete, htp_uri_t *normalized) {
+ // Scheme.
+ if (incomplete->scheme != NULL) {
+ // Duplicate and convert to lowercase.
+ normalized->scheme = bstr_dup_lower(incomplete->scheme);
+ if (normalized->scheme == NULL) return HTP_ERROR;
+ }
+
+ // Username.
+ if (incomplete->username != NULL) {
+ normalized->username = bstr_dup(incomplete->username);
+ if (normalized->username == NULL) return HTP_ERROR;
+ htp_tx_urldecode_uri_inplace(tx, normalized->username);
+ }
+
+ // Password.
+ if (incomplete->password != NULL) {
+ normalized->password = bstr_dup(incomplete->password);
+ if (normalized->password == NULL) return HTP_ERROR;
+ htp_tx_urldecode_uri_inplace(tx, normalized->password);
+ }
+
+ // Hostname.
+ if (incomplete->hostname != NULL) {
+ // We know that incomplete->hostname does not contain
+ // port information, so no need to check for it here.
+ normalized->hostname = bstr_dup(incomplete->hostname);
+ if (normalized->hostname == NULL) return HTP_ERROR;
+ htp_tx_urldecode_uri_inplace(tx, normalized->hostname);
+ htp_normalize_hostname_inplace(normalized->hostname);
+ }
+
+ // Port.
+ if (incomplete->port != NULL) {
+ int64_t port_parsed = htp_parse_positive_integer_whitespace(
+ bstr_ptr(incomplete->port), bstr_len(incomplete->port), 10);
+
+ if (port_parsed < 0) {
+ // Failed to parse the port number.
+ normalized->port_number = -1;
+ tx->flags |= HTP_HOSTU_INVALID;
+ } else if ((port_parsed > 0) && (port_parsed < 65536)) {
+ // Valid port number.
+ normalized->port_number = (int) port_parsed;
+ } else {
+ // Port number out of range.
+ normalized->port_number = -1;
+ tx->flags |= HTP_HOSTU_INVALID;
+ }
+ } else {
+ normalized->port_number = -1;
+ }
+
+ // Path.
+ if (incomplete->path != NULL) {
+ // Make a copy of the path, so that we can work on it.
+ normalized->path = bstr_dup(incomplete->path);
+ if (normalized->path == NULL) return HTP_ERROR;
+
+ // Decode URL-encoded (and %u-encoded) characters, as well as lowercase,
+ // compress separators and convert backslashes.
+ htp_decode_path_inplace(tx, normalized->path);
+
+ // Handle UTF-8 in the path.
+ if (tx->cfg->decoder_cfgs[HTP_DECODER_URL_PATH].utf8_convert_bestfit) {
+ // Decode Unicode characters into a single-byte stream, using best-fit mapping.
+ htp_utf8_decode_path_inplace(tx->cfg, tx, normalized->path);
+ } else {
+ // No decoding, but try to validate the path as a UTF-8 stream.
+ htp_utf8_validate_path(tx, normalized->path);
+ }
+
+ // RFC normalization.
+ htp_normalize_uri_path_inplace(normalized->path);
+ }
+
+ // Query string.
+ if (incomplete->query != NULL) {
+ normalized->query = bstr_dup(incomplete->query);
+ if (normalized->query == NULL) return HTP_ERROR;
+ }
+
+ // Fragment.
+ if (incomplete->fragment != NULL) {
+ normalized->fragment = bstr_dup(incomplete->fragment);
+ if (normalized->fragment == NULL) return HTP_ERROR;
+ htp_tx_urldecode_uri_inplace(tx, normalized->fragment);
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Normalize request hostname. Convert all characters to lowercase and
+ * remove trailing dots from the end, if present.
+ *
+ * @param[in] hostname
+ * @return Normalized hostname.
+ */
+bstr *htp_normalize_hostname_inplace(bstr *hostname) {
+ if (hostname == NULL) return NULL;
+
+ bstr_to_lowercase(hostname);
+
+ // Remove dots from the end of the string.
+ while (bstr_char_at_end(hostname, 0) == '.') bstr_chop(hostname);
+
+ return hostname;
+}
+
+/**
+ * Normalize URL path. This function implements the remove dot segments algorithm
+ * specified in RFC 3986, section 5.2.4.
+ *
+ * @param[in] s
+ */
+void htp_normalize_uri_path_inplace(bstr *s) {
+ if (s == NULL) return;
+
+ unsigned char *data = bstr_ptr(s);
+ if (data == NULL) return;
+ size_t len = bstr_len(s);
+
+ size_t rpos = 0;
+ size_t wpos = 0;
+
+ int c = -1;
+ while ((rpos < len)&&(wpos < len)) {
+ if (c == -1) {
+ c = data[rpos++];
+ }
+
+ // A. If the input buffer begins with a prefix of "../" or "./",
+ // then remove that prefix from the input buffer; otherwise,
+ if (c == '.') {
+ if ((rpos + 1 < len) && (data[rpos] == '.') && (data[rpos + 1] == '/')) {
+ c = -1;
+ rpos += 2;
+ continue;
+ } else if ((rpos < len) && (data[rpos] == '/')) {
+ c = -1;
+ rpos += 1;
+ continue;
+ }
+ }
+
+ if (c == '/') {
+ // B. if the input buffer begins with a prefix of "/./" or "/.",
+ // where "." is a complete path segment, then replace that
+ // prefix with "/" in the input buffer; otherwise,
+ if ((rpos + 1 < len) && (data[rpos] == '.') && (data[rpos + 1] == '/')) {
+ c = '/';
+ rpos += 2;
+ continue;
+ } else if ((rpos + 1 == len) && (data[rpos] == '.')) {
+ c = '/';
+ rpos += 1;
+ continue;
+ }
+
+ // C. if the input buffer begins with a prefix of "/../" or "/..",
+ // where ".." is a complete path segment, then replace that
+ // prefix with "/" in the input buffer and remove the last
+ // segment and its preceding "/" (if any) from the output
+ // buffer; otherwise,
+ if ((rpos + 2 < len) && (data[rpos] == '.') && (data[rpos + 1] == '.') && (data[rpos + 2] == '/')) {
+ c = '/';
+ rpos += 3;
+
+ // Remove the last segment
+ while ((wpos > 0) && (data[wpos - 1] != '/')) wpos--;
+ if (wpos > 0) wpos--;
+ continue;
+ } else if ((rpos + 2 == len) && (data[rpos] == '.') && (data[rpos + 1] == '.')) {
+ c = '/';
+ rpos += 2;
+
+ // Remove the last segment
+ while ((wpos > 0) && (data[wpos - 1] != '/')) wpos--;
+ if (wpos > 0) wpos--;
+ continue;
+ }
+ }
+
+ // D. if the input buffer consists only of "." or "..", then remove
+ // that from the input buffer; otherwise,
+ if ((c == '.') && (rpos == len)) {
+ rpos++;
+ continue;
+ }
+
+ if ((c == '.') && (rpos + 1 == len) && (data[rpos] == '.')) {
+ rpos += 2;
+ continue;
+ }
+
+ // E. move the first path segment in the input buffer to the end of
+ // the output buffer, including the initial "/" character (if
+ // any) and any subsequent characters up to, but not including,
+ // the next "/" character or the end of the input buffer.
+ data[wpos++] = (uint8_t) c;
+
+ while ((rpos < len) && (data[rpos] != '/') && (wpos < len)) {
+ data[wpos++] = data[rpos++];
+ }
+
+ c = -1;
+ }
+
+ bstr_adjust_len(s, wpos);
+}
+
+/**
+ *
+ */
+void fprint_bstr(FILE *stream, const char *name, bstr *b) {
+ if (b == NULL) {
+ fprint_raw_data_ex(stream, name, "(null)", 0, 6);
+ return;
+ }
+
+ fprint_raw_data_ex(stream, name, bstr_ptr(b), 0, bstr_len(b));
+}
+
+/**
+ *
+ */
+void fprint_raw_data(FILE *stream, const char *name, const void *data, size_t len) {
+ // may happen for gaps
+ if (data == NULL) {
+ fprintf(stream, "\n%s: ptr NULL len %u\n", name, (unsigned int)len);
+ } else {
+ fprint_raw_data_ex(stream, name, data, 0, len);
+ }
+}
+
+/**
+ *
+ */
+void fprint_raw_data_ex(FILE *stream, const char *name, const void *_data, size_t offset, size_t printlen) {
+ const unsigned char *data = (const unsigned char *) _data;
+ char buf[160];
+ size_t len = offset + printlen;
+
+ fprintf(stream, "\n%s: ptr %p offset %u len %u\n", name, (void*) data, (unsigned int)offset, (unsigned int)len);
+
+ while (offset < len) {
+ size_t i;
+
+ snprintf(buf, sizeof(buf), "%x" PRIx64, (unsigned int) offset);
+ strlcat(buf, " ", sizeof(buf));
+
+ i = 0;
+ while (i < 8) {
+ if (offset + i < len) {
+ char step[4];
+ snprintf(step, sizeof(step), "%02x ", data[offset + i]);
+ strlcat(buf, step, sizeof(buf));
+ } else {
+ strlcat(buf, " ", sizeof(buf));
+ }
+
+ i++;
+ }
+
+ strlcat(buf, " ", sizeof(buf));
+
+ i = 8;
+ while (i < 16) {
+ if (offset + i < len) {
+ char step[4];
+ snprintf(step, sizeof(step), "%02x ", data[offset + i]);
+ strlcat(buf, step, sizeof(buf));
+ } else {
+ strlcat(buf, " ", sizeof(buf));
+ }
+
+ i++;
+ }
+
+ strlcat(buf, " |", sizeof(buf));
+
+ i = 0;
+ char *p = buf + strlen(buf);
+ while ((offset + i < len) && (i < 16)) {
+ uint8_t c = data[offset + i];
+
+ if (isprint(c)) {
+ *p++ = c;
+ } else {
+ *p++ = '.';
+ }
+
+ i++;
+ }
+
+ *p++ = '|';
+ *p++ = '\n';
+ *p = '\0';
+
+ fprintf(stream, "%s", buf);
+ offset += 16;
+ }
+
+ fprintf(stream, "\n");
+}
+
+/**
+ *
+ */
+char *htp_connp_in_state_as_string(htp_connp_t *connp) {
+ if (connp == NULL) return "NULL";
+
+ if (connp->in_state == htp_connp_REQ_IDLE) return "REQ_IDLE";
+ if (connp->in_state == htp_connp_REQ_LINE) return "REQ_LINE";
+ if (connp->in_state == htp_connp_REQ_PROTOCOL) return "REQ_PROTOCOL";
+ if (connp->in_state == htp_connp_REQ_HEADERS) return "REQ_HEADERS";
+ if (connp->in_state == htp_connp_REQ_CONNECT_CHECK) return "REQ_CONNECT_CHECK";
+ if (connp->in_state == htp_connp_REQ_CONNECT_WAIT_RESPONSE) return "REQ_CONNECT_WAIT_RESPONSE";
+ if (connp->in_state == htp_connp_REQ_BODY_DETERMINE) return "REQ_BODY_DETERMINE";
+ if (connp->in_state == htp_connp_REQ_BODY_IDENTITY) return "REQ_BODY_IDENTITY";
+ if (connp->in_state == htp_connp_REQ_BODY_CHUNKED_LENGTH) return "REQ_BODY_CHUNKED_LENGTH";
+ if (connp->in_state == htp_connp_REQ_BODY_CHUNKED_DATA) return "REQ_BODY_CHUNKED_DATA";
+ if (connp->in_state == htp_connp_REQ_BODY_CHUNKED_DATA_END) return "REQ_BODY_CHUNKED_DATA_END";
+ if (connp->in_state == htp_connp_REQ_FINALIZE) return "REQ_FINALIZE";
+ if (connp->in_state == htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9) return "REQ_IGNORE_DATA_AFTER_HTTP_0_9";
+
+ return "UNKNOWN";
+}
+
+/**
+ *
+ */
+char *htp_connp_out_state_as_string(htp_connp_t *connp) {
+ if (connp == NULL) return "NULL";
+
+ if (connp->out_state == htp_connp_RES_IDLE) return "RES_IDLE";
+ if (connp->out_state == htp_connp_RES_LINE) return "RES_LINE";
+ if (connp->out_state == htp_connp_RES_HEADERS) return "RES_HEADERS";
+ if (connp->out_state == htp_connp_RES_BODY_DETERMINE) return "RES_BODY_DETERMINE";
+ if (connp->out_state == htp_connp_RES_BODY_IDENTITY_CL_KNOWN) return "RES_BODY_IDENTITY_CL_KNOWN";
+ if (connp->out_state == htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE) return "RES_BODY_IDENTITY_STREAM_CLOSE";
+ if (connp->out_state == htp_connp_RES_BODY_CHUNKED_LENGTH) return "RES_BODY_CHUNKED_LENGTH";
+ if (connp->out_state == htp_connp_RES_BODY_CHUNKED_DATA) return "RES_BODY_CHUNKED_DATA";
+ if (connp->out_state == htp_connp_RES_BODY_CHUNKED_DATA_END) return "RES_BODY_CHUNKED_DATA_END";
+ if (connp->out_state == htp_connp_RES_FINALIZE) return "RES_BODY_FINALIZE";
+
+ return "UNKNOWN";
+}
+
+/**
+ *
+ */
+char *htp_tx_request_progress_as_string(htp_tx_t *tx) {
+ if (tx == NULL) return "NULL";
+
+ switch (tx->request_progress) {
+ case HTP_REQUEST_NOT_STARTED:
+ return "NOT_STARTED";
+ case HTP_REQUEST_LINE:
+ return "REQ_LINE";
+ case HTP_REQUEST_HEADERS:
+ return "REQ_HEADERS";
+ case HTP_REQUEST_BODY:
+ return "REQ_BODY";
+ case HTP_REQUEST_TRAILER:
+ return "REQ_TRAILER";
+ case HTP_REQUEST_COMPLETE:
+ return "COMPLETE";
+ }
+
+ return "INVALID";
+}
+
+/**
+ *
+ */
+char *htp_tx_response_progress_as_string(htp_tx_t *tx) {
+ if (tx == NULL) return "NULL";
+
+ switch (tx->response_progress) {
+ case HTP_RESPONSE_NOT_STARTED:
+ return "NOT_STARTED";
+ case HTP_RESPONSE_LINE:
+ return "RES_LINE";
+ case HTP_RESPONSE_HEADERS:
+ return "RES_HEADERS";
+ case HTP_RESPONSE_BODY:
+ return "RES_BODY";
+ case HTP_RESPONSE_TRAILER:
+ return "RES_TRAILER";
+ case HTP_RESPONSE_COMPLETE:
+ return "COMPLETE";
+ }
+
+ return "INVALID";
+}
+
+bstr *htp_unparse_uri_noencode(htp_uri_t *uri) {
+ if (uri == NULL) return NULL;
+
+ // On the first pass determine the length of the final string
+ size_t len = 0;
+
+ if (uri->scheme != NULL) {
+ len += bstr_len(uri->scheme);
+ len += 3; // "://"
+ }
+
+ if ((uri->username != NULL) || (uri->password != NULL)) {
+ if (uri->username != NULL) {
+ len += bstr_len(uri->username);
+ }
+
+ len += 1; // ":"
+
+ if (uri->password != NULL) {
+ len += bstr_len(uri->password);
+ }
+
+ len += 1; // "@"
+ }
+
+ if (uri->hostname != NULL) {
+ len += bstr_len(uri->hostname);
+ }
+
+ if (uri->port != NULL) {
+ len += 1; // ":"
+ len += bstr_len(uri->port);
+ }
+
+ if (uri->path != NULL) {
+ len += bstr_len(uri->path);
+ }
+
+ if (uri->query != NULL) {
+ len += 1; // "?"
+ len += bstr_len(uri->query);
+ }
+
+ if (uri->fragment != NULL) {
+ len += 1; // "#"
+ len += bstr_len(uri->fragment);
+ }
+
+ // On the second pass construct the string
+ bstr *r = bstr_alloc(len);
+ if (r == NULL) return NULL;
+
+ if (uri->scheme != NULL) {
+ bstr_add_noex(r, uri->scheme);
+ bstr_add_c_noex(r, "://");
+ }
+
+ if ((uri->username != NULL) || (uri->password != NULL)) {
+ if (uri->username != NULL) {
+ bstr_add_noex(r, uri->username);
+ }
+
+ bstr_add_c_noex(r, ":");
+
+ if (uri->password != NULL) {
+ bstr_add_noex(r, uri->password);
+ }
+
+ bstr_add_c_noex(r, "@");
+ }
+
+ if (uri->hostname != NULL) {
+ bstr_add_noex(r, uri->hostname);
+ }
+
+ if (uri->port != NULL) {
+ bstr_add_c_noex(r, ":");
+ bstr_add_noex(r, uri->port);
+ }
+
+ if (uri->path != NULL) {
+ bstr_add_noex(r, uri->path);
+ }
+
+ if (uri->query != NULL) {
+ bstr_add_c_noex(r, "?");
+ bstr_add_noex(r, uri->query);
+ }
+
+ if (uri->fragment != NULL) {
+ bstr_add_c_noex(r, "#");
+ bstr_add_noex(r, uri->fragment);
+ }
+
+ return r;
+}
+
+/**
+ * Determine if the information provided on the response line
+ * is good enough. Browsers are lax when it comes to response
+ * line parsing. In most cases they will only look for the
+ * words "http" at the beginning.
+ *
+ * @param[in] data pointer to bytearray
+ * @param[in] len length in bytes of data
+ * @return 1 for good enough or 0 for not good enough
+ */
+int htp_treat_response_line_as_body(const uint8_t *data, size_t len) {
+ // Browser behavior:
+ // Firefox 3.5.x: (?i)^\s*http
+ // IE: (?i)^\s*http\s*/
+ // Safari: ^HTTP/\d+\.\d+\s+\d{3}
+ size_t pos = 0;
+
+ if (data == NULL) return 1;
+ while ((pos < len) && (htp_is_space(data[pos]) || data[pos] == 0)) pos++;
+
+ if (len < pos + 4) return 1;
+
+ if ((data[pos] != 'H') && (data[pos] != 'h')) return 1;
+ if ((data[pos+1] != 'T') && (data[pos+1] != 't')) return 1;
+ if ((data[pos+2] != 'T') && (data[pos+2] != 't')) return 1;
+ if ((data[pos+3] != 'P') && (data[pos+3] != 'p')) return 1;
+
+ return 0;
+}
+
+/**
+ * Run the REQUEST_BODY_DATA hook.
+ *
+ * @param[in] connp
+ * @param[in] d
+ */
+htp_status_t htp_req_run_hook_body_data(htp_connp_t *connp, htp_tx_data_t *d) {
+ // Do not invoke callbacks with an empty data chunk
+ if ((d->data != NULL) && (d->len == 0)) return HTP_OK;
+
+ // Do not invoke callbacks without a transaction.
+ if (connp->in_tx == NULL) return HTP_OK;
+
+ // Run transaction hooks first
+ htp_status_t rc = htp_hook_run_all(connp->in_tx->hook_request_body_data, d);
+ if (rc != HTP_OK) return rc;
+
+ // Run configuration hooks second
+ rc = htp_hook_run_all(connp->cfg->hook_request_body_data, d);
+ if (rc != HTP_OK) return rc;
+
+ // On PUT requests, treat request body as file
+ if (connp->put_file != NULL) {
+ htp_file_data_t file_data;
+
+ file_data.data = d->data;
+ file_data.len = d->len;
+ file_data.file = connp->put_file;
+ file_data.file->len += d->len;
+
+ rc = htp_hook_run_all(connp->cfg->hook_request_file_data, &file_data);
+ if (rc != HTP_OK) return rc;
+ }
+
+ return HTP_OK;
+}
+
+/**
+ * Run the RESPONSE_BODY_DATA hook.
+ *
+ * @param[in] connp
+ * @param[in] d
+ */
+htp_status_t htp_res_run_hook_body_data(htp_connp_t *connp, htp_tx_data_t *d) {
+ // Do not invoke callbacks with an empty data chunk.
+ if ((d->data != NULL) && (d->len == 0)) return HTP_OK;
+
+ // Run transaction hooks first
+ htp_status_t rc = htp_hook_run_all(connp->out_tx->hook_response_body_data, d);
+ if (rc != HTP_OK) return rc;
+
+ // Run configuration hooks second
+ rc = htp_hook_run_all(connp->cfg->hook_response_body_data, d);
+ if (rc != HTP_OK) return rc;
+
+ return HTP_OK;
+}
+
+/**
+ * Parses the provided memory region, extracting the double-quoted string.
+ *
+ * @param[in] data
+ * @param[in] len
+ * @param[out] out
+ * @param[out] endoffset
+ * @return HTP_OK on success, HTP_DECLINED if the input is not well formed, and HTP_ERROR on fatal errors.
+ */
+htp_status_t htp_extract_quoted_string_as_bstr(unsigned char *data, size_t len, bstr **out, size_t *endoffset) {
+ if ((data == NULL) || (out == NULL)) return HTP_ERROR;
+
+ if (len == 0) return HTP_DECLINED;
+
+ size_t pos = 0;
+
+ // Check that the first character is a double quote.
+ if (data[pos] != '"') return HTP_DECLINED;
+
+ // Step over the double quote.
+ pos++;
+ if (pos == len) return HTP_DECLINED;
+
+ // Calculate the length of the resulting string.
+ size_t escaped_chars = 0;
+ while (pos < len) {
+ if (data[pos] == '\\') {
+ if (pos + 1 < len) {
+ escaped_chars++;
+ pos += 2;
+ continue;
+ }
+ } else if (data[pos] == '"') {
+ break;
+ }
+
+ pos++;
+ }
+
+ // Have we reached the end of input without seeing the terminating double quote?
+ if (pos == len) return HTP_DECLINED;
+
+ // Copy the data and unescape it as necessary.
+ size_t outlen = pos - 1 - escaped_chars;
+ *out = bstr_alloc(outlen);
+ if (*out == NULL) return HTP_ERROR;
+ unsigned char *outptr = bstr_ptr(*out);
+ size_t outpos = 0;
+
+ pos = 1;
+ while ((pos < len) && (outpos < outlen)) {
+ // TODO We are not properly unescaping test here, we're only
+ // handling escaped double quotes.
+ if (data[pos] == '\\') {
+ if (pos + 1 < len) {
+ outptr[outpos++] = data[pos + 1];
+ pos += 2;
+ continue;
+ }
+ } else if (data[pos] == '"') {
+ break;
+ }
+
+ outptr[outpos++] = data[pos++];
+ }
+
+ bstr_adjust_len(*out, outlen);
+
+ if (endoffset != NULL) {
+ *endoffset = pos;
+ }
+
+ return HTP_OK;
+}
+
+htp_status_t htp_parse_ct_header(bstr *header, bstr **ct) {
+ if ((header == NULL) || (ct == NULL)) return HTP_ERROR;
+
+ unsigned char *data = bstr_ptr(header);
+ size_t len = bstr_len(header);
+
+ // The assumption here is that the header value we receive
+ // here has been left-trimmed, which means the starting position
+ // is on the media type. On some platforms that may not be the
+ // case, and we may need to do the left-trim ourselves.
+
+ // Find the end of the MIME type, using the same approach PHP 5.4.3 uses.
+ size_t pos = 0;
+ while ((pos < len) && (data[pos] != ';') && (data[pos] != ',') && (data[pos] != ' ')) pos++;
+
+ *ct = bstr_dup_ex(header, 0, pos);
+ if (*ct == NULL) return HTP_ERROR;
+
+ bstr_to_lowercase(*ct);
+
+ return HTP_OK;
+}
+
+/**
+ * Implements relaxed (not strictly RFC) hostname validation.
+ *
+ * @param[in] hostname
+ * @return 1 if the supplied hostname is valid; 0 if it is not.
+ */
+int htp_validate_hostname(bstr *hostname) {
+ unsigned char *data = bstr_ptr(hostname);
+ size_t len = bstr_len(hostname);
+ size_t startpos = 0;
+ size_t pos = 0;
+
+ if ((len == 0) || (len > 255)) return 0;
+
+ if (data[0] == '[') {
+ // only ipv6 possible
+ if (len < 2 || len - 2 >= INET6_ADDRSTRLEN) {
+ return 0;
+ }
+ char dst[sizeof(struct in6_addr)];
+ char str[INET6_ADDRSTRLEN];
+ memcpy(str, data+1, len-2);
+ str[len-2] = 0;
+ return inet_pton(AF_INET6, str, dst);
+ }
+ while (pos < len) {
+ // Validate label characters.
+ startpos = pos;
+ while ((pos < len) && (data[pos] != '.')) {
+ unsigned char c = data[pos];
+ // According to the RFC, the underscore is not allowed in a label, but
+ // we allow it here because we think it's often seen in practice.
+ if (!(((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) ||
+ ((c >= '0') && (c <= '9')) ||
+ (c == '-') || (c == '_')))
+ {
+ return 0;
+ }
+
+ pos++;
+ }
+
+ // Validate label length.
+ if ((pos - startpos == 0) || (pos - startpos > 63)) return 0;
+
+ if (pos >= len) return 1; // No more data after label.
+
+ // How many dots are there?
+ startpos = pos;
+ while ((pos < len) && (data[pos] == '.')) pos++;
+
+ if (pos - startpos != 1) return 0; // Exactly one dot expected.
+ }
+
+ return 1;
+}
+
+void htp_uri_free(htp_uri_t *uri) {
+ if (uri == NULL) return;
+
+ bstr_free(uri->scheme);
+ bstr_free(uri->username);
+ bstr_free(uri->password);
+ bstr_free(uri->hostname);
+ bstr_free(uri->port);
+ bstr_free(uri->path);
+ bstr_free(uri->query);
+ bstr_free(uri->fragment);
+
+ free(uri);
+}
+
+htp_uri_t *htp_uri_alloc(void) {
+ htp_uri_t *u = calloc(1, sizeof (htp_uri_t));
+ if (u == NULL) return NULL;
+
+ u->port_number = -1;
+
+ return u;
+}
+
+char *htp_get_version(void) {
+ return HTP_VERSION_STRING_FULL;
+}
+
+/**
+ * Tells if a header value (haystack) contains a token (needle)
+ * This is done with a caseless comparison
+ *
+ * @param[in] hvp header value pointer
+ * @param[in] hvlen length of header value buffer
+ * @param[in] value token to look for (null-terminated string), should be a lowercase constant
+ * @return HTP_OK if the header has the token; HTP_ERROR if it has not.
+ */
+htp_status_t htp_header_has_token(const unsigned char *hvp, size_t hvlen, const unsigned char *value) {
+ int state = 0;
+ // offset to compare in value
+ size_t v_off = 0;
+ // The header value is a list of comma-separated tokens (with additional spaces)
+ for (size_t i = 0; i < hvlen; i++) {
+ switch (state) {
+ case 0:
+ if (v_off == 0 && htp_is_space(hvp[i])) {
+ // skip leading space
+ continue;
+ }
+ if (tolower(hvp[i]) == value[v_off]) {
+ v_off++;
+ if (value[v_off] == 0) {
+ // finish validation if end of token
+ state = 2;
+ }
+ continue;
+ } else {
+ // wait for a new token
+ v_off = 0;
+ state = 1;
+ }
+ // fallthrough
+ case 1:
+ if (hvp[i] == ',') {
+ // start of next token
+ state = 0;
+ }
+ break;
+ case 2:
+ if (hvp[i] == ',') {
+ return HTP_OK;
+ }
+ if (!htp_is_space(hvp[i])) {
+ // trailing junk in token, wait for a next one
+ v_off = 0;
+ state = 1;
+ }
+ }
+ }
+ if (state == 2) {
+ return HTP_OK;
+ }
+ return HTP_ERROR;
+}