diff options
Diffstat (limited to '')
-rw-r--r-- | htp/htp_content_handlers.c | 299 |
1 files changed, 299 insertions, 0 deletions
diff --git a/htp/htp_content_handlers.c b/htp/htp_content_handlers.c new file mode 100644 index 0000000..183a0f2 --- /dev/null +++ b/htp/htp_content_handlers.c @@ -0,0 +1,299 @@ +/*************************************************************************** + * Copyright (c) 2009-2010 Open Information Security Foundation + * Copyright (c) 2010-2013 Qualys, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + + * - Neither the name of the Qualys, Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + ***************************************************************************/ + +/** + * @file + * @author Ivan Ristic <ivanr@webkreator.com> + */ + +#include "htp_config_auto.h" + +#include "htp_private.h" + +/** + * This callback function feeds request body data to a Urlencoded parser + * and, later, feeds the parsed parameters to the correct structures. + * + * @param[in] d + * @return HTP_OK on success, HTP_ERROR on failure. + */ +htp_status_t htp_ch_urlencoded_callback_request_body_data(htp_tx_data_t *d) { + htp_tx_t *tx = d->tx; + + // Check that we were not invoked again after the finalization. + if (tx->request_urlenp_body->params == NULL) return HTP_ERROR; + + if (d->data != NULL) { + // Process one chunk of data. + htp_urlenp_parse_partial(tx->request_urlenp_body, d->data, d->len); + } else { + // Finalize parsing. + htp_urlenp_finalize(tx->request_urlenp_body); + + // Add all parameters to the transaction. + bstr *name = NULL; + bstr *value = NULL; + + for (size_t i = 0, n = htp_table_size(tx->request_urlenp_body->params); i < n; i++) { + value = htp_table_get_index(tx->request_urlenp_body->params, i, &name); + + htp_param_t *param = calloc(1, sizeof (htp_param_t)); + if (param == NULL) return HTP_ERROR; + + param->name = name; + param->value = value; + param->source = HTP_SOURCE_BODY; + param->parser_id = HTP_PARSER_URLENCODED; + param->parser_data = NULL; + + if (htp_tx_req_add_param(tx, param) != HTP_OK) { + free(param); + return HTP_ERROR; + } + } + + // All the parameter data is now owned by the transaction, and + // the parser table used to store it is no longer needed. The + // line below will destroy just the table, leaving keys intact. + htp_table_destroy_ex(tx->request_urlenp_body->params); + tx->request_urlenp_body->params = NULL; + } + + return HTP_OK; +} + +/** + * Determine if the request has a Urlencoded body, and, if it does, create and + * attach an instance of the Urlencoded parser to the transaction. + * + * @param[in] connp + * @return HTP_OK if a new parser has been setup, HTP_DECLINED if the MIME type + * is not appropriate for this parser, and HTP_ERROR on failure. + */ +htp_status_t htp_ch_urlencoded_callback_request_headers(htp_tx_t *tx) { + // Check the request content type to see if it matches our MIME type. + if ((tx->request_content_type == NULL) || (!bstr_begins_with_c(tx->request_content_type, HTP_URLENCODED_MIME_TYPE))) { + #ifdef HTP_DEBUG + fprintf(stderr, "htp_ch_urlencoded_callback_request_headers: Body not URLENCODED\n"); + #endif + + return HTP_DECLINED; + } + + #ifdef HTP_DEBUG + fprintf(stderr, "htp_ch_urlencoded_callback_request_headers: Parsing URLENCODED body\n"); + #endif + + // Create parser instance. + tx->request_urlenp_body = htp_urlenp_create(tx); + if (tx->request_urlenp_body == NULL) return HTP_ERROR; + + // Register a request body data callback. + htp_tx_register_request_body_data(tx, htp_ch_urlencoded_callback_request_body_data); + + return HTP_OK; +} + +/** + * Parses request query string, if present. + * + * @param[in] connp + * @param[in] raw_data + * @param[in] raw_len + * @return HTP_OK if query string was parsed, HTP_DECLINED if there was no query + * string, and HTP_ERROR on failure. + */ +htp_status_t htp_ch_urlencoded_callback_request_line(htp_tx_t *tx) { + // Proceed only if there's something for us to parse. + if ((tx->parsed_uri->query == NULL) || (bstr_len(tx->parsed_uri->query) == 0)) { + return HTP_DECLINED; + } + + // We have a non-zero length query string. + + tx->request_urlenp_query = htp_urlenp_create(tx); + if (tx->request_urlenp_query == NULL) return HTP_ERROR; + + if (htp_urlenp_parse_complete(tx->request_urlenp_query, bstr_ptr(tx->parsed_uri->query), + bstr_len(tx->parsed_uri->query)) != HTP_OK) { + htp_urlenp_destroy(tx->request_urlenp_query); + return HTP_ERROR; + } + + // Add all parameters to the transaction. + + bstr *name = NULL; + bstr *value = NULL; + for (size_t i = 0, n = htp_table_size(tx->request_urlenp_query->params); i < n; i++) { + value = htp_table_get_index(tx->request_urlenp_query->params, i, &name); + + htp_param_t *param = calloc(1, sizeof (htp_param_t)); + if (param == NULL) return HTP_ERROR; + + param->name = name; + param->value = value; + param->source = HTP_SOURCE_QUERY_STRING; + param->parser_id = HTP_PARSER_URLENCODED; + param->parser_data = NULL; + + if (htp_tx_req_add_param(tx, param) != HTP_OK) { + free(param); + return HTP_ERROR; + } + } + + // All the parameter data is now owned by the transaction, and + // the parser table used to store it is no longer needed. The + // line below will destroy just the table, leaving keys intact. + htp_table_destroy_ex(tx->request_urlenp_query->params); + tx->request_urlenp_query->params = NULL; + + htp_urlenp_destroy(tx->request_urlenp_query); + tx->request_urlenp_query = NULL; + + return HTP_OK; +} + +/** + * Finalize Multipart processing. + * + * @param[in] d + * @return HTP_OK on success, HTP_ERROR on failure. + */ +htp_status_t htp_ch_multipart_callback_request_body_data(htp_tx_data_t *d) { + htp_tx_t *tx = d->tx; + + // Check that we were not invoked again after the finalization. + if (tx->request_mpartp->gave_up_data == 1) return HTP_ERROR; + + if (d->data != NULL) { + // Process one chunk of data. + htp_mpartp_parse(tx->request_mpartp, d->data, d->len); + } else { + // Finalize parsing. + htp_mpartp_finalize(tx->request_mpartp); + + htp_multipart_t *body = htp_mpartp_get_multipart(tx->request_mpartp); + + for (size_t i = 0, n = htp_list_size(body->parts); i < n; i++) { + htp_multipart_part_t *part = htp_list_get(body->parts, i); + + // Use text parameters. + if (part->type == MULTIPART_PART_TEXT) { + htp_param_t *param = calloc(1, sizeof (htp_param_t)); + if (param == NULL) return HTP_ERROR; + param->name = part->name; + param->value = part->value; + param->source = HTP_SOURCE_BODY; + param->parser_id = HTP_PARSER_MULTIPART; + param->parser_data = part; + + if (htp_tx_req_add_param(tx, param) != HTP_OK) { + free(param); + return HTP_ERROR; + } + } + } + + // Tell the parser that it no longer owns names + // and values of MULTIPART_PART_TEXT parts. + tx->request_mpartp->gave_up_data = 1; + } + + return HTP_OK; +} + +/** + * Inspect request headers and register the Multipart request data hook + * if it contains a multipart/form-data body. + * + * @param[in] connp + * @return HTP_OK if a new parser has been setup, HTP_DECLINED if the MIME type + * is not appropriate for this parser, and HTP_ERROR on failure. + */ +htp_status_t htp_ch_multipart_callback_request_headers(htp_tx_t *tx) { + #ifdef HTP_DEBUG + fprintf(stderr, "htp_ch_multipart_callback_request_headers: Need to determine if multipart body is present\n"); + #endif + + // The field tx->request_content_type does not contain the entire C-T + // value and so we cannot use it to look for a boundary, but we can + // use it for a quick check to determine if the C-T header exists. + if (tx->request_content_type == NULL) { + #ifdef HTP_DEBUG + fprintf(stderr, "htp_ch_multipart_callback_request_headers: Not multipart body (no C-T header)\n"); + #endif + + return HTP_DECLINED; + } + + // Look for a boundary. + + htp_header_t *ct = htp_table_get_c(tx->request_headers, "content-type"); + if (ct == NULL) return HTP_ERROR; + + bstr *boundary = NULL; + uint64_t flags = 0; + + htp_status_t rc = htp_mpartp_find_boundary(ct->value, &boundary, &flags); + if (rc != HTP_OK) { + #ifdef HTP_DEBUG + if (rc == HTP_DECLINED) { + fprintf(stderr, "htp_ch_multipart_callback_request_headers: Not multipart body\n"); + } + #endif + + // No boundary (HTP_DECLINED) or error (HTP_ERROR). + return rc; + } + + if (boundary == NULL) return HTP_ERROR; + + // Create a Multipart parser instance. + tx->request_mpartp = htp_mpartp_create(tx->connp->cfg, boundary, flags); + if (tx->request_mpartp == NULL) { + bstr_free(boundary); + return HTP_ERROR; + } + + // Configure file extraction. + if (tx->cfg->extract_request_files) { + tx->request_mpartp->extract_files = 1; + tx->request_mpartp->extract_dir = tx->connp->cfg->tmpdir; + } + + // Register a request body data callback. + htp_tx_register_request_body_data(tx, htp_ch_multipart_callback_request_body_data); + + return HTP_OK; +} |