summaryrefslogtreecommitdiffstats
path: root/htp/htp_config_private.h
blob: 83ff8f68e6786502f89e340eab2543a6ca099304 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
/***************************************************************************
 * Copyright (c) 2009-2010 Open Information Security Foundation
 * Copyright (c) 2010-2013 Qualys, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 * - Redistributions of source code must retain the above copyright
 *   notice, this list of conditions and the following disclaimer.

 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.

 * - Neither the name of the Qualys, Inc. nor the names of its
 *   contributors may be used to endorse or promote products derived from
 *   this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ***************************************************************************/

/**
 * @file
 * @author Ivan Ristic <ivanr@webkreator.com>
 */

#ifndef HTP_CONFIG_PRIVATE_H
#define	HTP_CONFIG_PRIVATE_H

#ifdef	__cplusplus
extern "C" {
#endif

#define HTP_DECODER_CONTEXTS_MAX    3

typedef struct htp_decoder_cfg_t {

    // Path-specific decoding options.

    /** Convert backslash characters to slashes. */
    int backslash_convert_slashes;
    
    /** Convert to lowercase. */
    int convert_lowercase;
    
    /** Compress slash characters. */
    int path_separators_compress;

    /** Should we URL-decode encoded path segment separators? */
    int path_separators_decode;

    /** Should we decode '+' characters to spaces? */
    int plusspace_decode;
    
    /** Reaction to encoded path separators. */
    enum htp_unwanted_t path_separators_encoded_unwanted;


    // Special characters options.

    /** Controls how raw NUL bytes are handled. */
    int nul_raw_terminates;

    /** Determines server response to a raw NUL byte in the path. */
    enum htp_unwanted_t nul_raw_unwanted;

    /** Reaction to control characters. */
    enum htp_unwanted_t control_chars_unwanted;


    // URL encoding options.

    /** Should we decode %u-encoded characters? */
    int u_encoding_decode;

    /** Reaction to %u encoding. */
    enum htp_unwanted_t u_encoding_unwanted;

    /** Handling of invalid URL encodings. */
    enum htp_url_encoding_handling_t url_encoding_invalid_handling;

    /** Reaction to invalid URL encoding. */
    enum htp_unwanted_t url_encoding_invalid_unwanted;
    
    /** Controls how encoded NUL bytes are handled. */
    int nul_encoded_terminates;

    /** How are we expected to react to an encoded NUL byte? */
    enum htp_unwanted_t nul_encoded_unwanted;


    // UTF-8 options.

    /** Controls how invalid UTF-8 characters are handled. */
    enum htp_unwanted_t utf8_invalid_unwanted;

    /** Convert UTF-8 characters into bytes using best-fit mapping. */
    int utf8_convert_bestfit;

    
    // Best-fit mapping options.

    /** The best-fit map to use to decode %u-encoded characters. */
    unsigned char *bestfit_map;

    /** The replacement byte used when there is no best-fit mapping. */
    unsigned char bestfit_replacement_byte;

} htp_decoder_cfg_t;

struct htp_cfg_t {
    /**
     * The maximum size of the buffer that is used when the current
     * input chunk does not contain all the necessary data (e.g., a very header
     * line that spans several packets).
     */
    size_t field_limit_hard;

    /**
     * Soft field limit length. If this limit is reached the parser will issue
     * a warning but continue to run. NOT IMPLEMENTED.
     */
    size_t field_limit_soft;

    /**
     * Log level, which will be used when deciding whether to store or
     * ignore the messages issued by the parser.
     */
    enum htp_log_level_t log_level;

    /**
     * Whether to delete each transaction after the last hook is invoked. This
     * feature should be used when parsing traffic streams in real time.
     */
    int tx_auto_destroy;

    /**
     * Server personality identifier.
     */
    enum htp_server_personality_t server_personality;

    /** The function used for request line parsing. Depends on the personality. */
    int (*parse_request_line)(htp_connp_t *connp);

    /** The function used for response line parsing. Depends on the personality. */
    int (*parse_response_line)(htp_connp_t *connp);

    /** The function used for request header parsing. Depends on the personality. */
    int (*process_request_header)(htp_connp_t *connp, unsigned char *data, size_t len);

    /** The function used for response header parsing. Depends on the personality. */
    int (*process_response_header)(htp_connp_t *connp, unsigned char *data, size_t len);

    /** The function to use to transform parameters after parsing. */
    int (*parameter_processor)(htp_param_t *param);

    /** Decoder configuration array, one per context. */
    htp_decoder_cfg_t decoder_cfgs[HTP_DECODER_CONTEXTS_MAX];

    /** Whether to generate the request_uri_normalized field. */
    int generate_request_uri_normalized;

    /** Whether to decompress compressed response bodies. */
    int response_decompression_enabled;

    /** Not fully implemented at the moment. */
    char *request_encoding;

    /** Not fully implemented at the moment. */
    char *internal_encoding;

    /** Whether to parse request cookies. */
    int parse_request_cookies;

    /** Whether to parse HTTP Authentication headers. */
    int parse_request_auth;

    /** Whether to extract files from requests using Multipart encoding. */
    int extract_request_files;

    /** How many extracted files are allowed in a single Multipart request? */
    int extract_request_files_limit;

    /** Whether to allow spaces in URI. */
    int allow_space_uri;

    /** The location on disk where temporary files will be created. */
    char *tmpdir;

    // Hooks

    /**
     * Request start hook, invoked when the parser receives the first byte of a new
     * request. Because in HTTP a transaction always starts with a request, this hook
     * doubles as a transaction start hook.
     */
    htp_hook_t *hook_request_start;

    /**
     * Request line hook, invoked after a request line has been parsed.
     */
    htp_hook_t *hook_request_line;

    /**
     * Request URI normalization hook, for overriding default normalization of URI.
     */
    htp_hook_t *hook_request_uri_normalize;

    /**
     * Receives raw request header data, starting immediately after the request line,
     * including all headers as they are seen on the TCP connection, and including the
     * terminating empty line. Not available on genuine HTTP/0.9 requests (because
     * they don't use headers).
     */
    htp_hook_t *hook_request_header_data;

    /**
     * Request headers hook, invoked after all request headers are seen.
     */
    htp_hook_t *hook_request_headers;

    /**
     * Request body data hook, invoked every time body data is available. Each
     * invocation will provide a htp_tx_data_t instance. Chunked data
     * will be dechunked before the data is passed to this hook. Decompression
     * is not currently implemented. At the end of the request body
     * there will be a call with the data pointer set to NULL.
     */
    htp_hook_t *hook_request_body_data;

    /**
     * Request file data hook, which is invoked whenever request file data is
     * available. Currently used only by the Multipart parser.
     */
    htp_hook_t *hook_request_file_data;

    /**
     * Receives raw request trailer data, which can be available on requests that have
     * chunked bodies. The data starts immediately after the zero-length chunk
     * and includes the terminating empty line.
     */
    htp_hook_t *hook_request_trailer_data;

    /**
     * Request trailer hook, invoked after all trailer headers are seen,
     * and if they are seen (not invoked otherwise).
     */
    htp_hook_t *hook_request_trailer;

    /**
     * Request hook, invoked after a complete request is seen.
     */
    htp_hook_t *hook_request_complete;

    /**
     * Response startup hook, invoked when a response transaction is found and
     * processing started.
     */
    htp_hook_t *hook_response_start;

    /**
     * Response line hook, invoked after a response line has been parsed.
     */
    htp_hook_t *hook_response_line;

    /**
     * Receives raw response header data, starting immediately after the status line
     * and including all headers as they are seen on the TCP connection, and including the
     * terminating empty line. Not available on genuine HTTP/0.9 responses (because
     * they don't have response headers).
     */
    htp_hook_t *hook_response_header_data;

    /**
     * Response headers book, invoked after all response headers have been seen.
     */
    htp_hook_t *hook_response_headers;

    /**
     * Response body data hook, invoked every time body data is available. Each
     * invocation will provide a htp_tx_data_t instance. Chunked data
     * will be dechunked before the data is passed to this hook. By default,
     * compressed data will be decompressed, but decompression can be disabled
     * in configuration. At the end of the response body there will be a call
     * with the data pointer set to NULL.
     */
    htp_hook_t *hook_response_body_data;

    /**
     * Receives raw response trailer data, which can be available on responses that have
     * chunked bodies. The data starts immediately after the zero-length chunk
     * and includes the terminating empty line.
     */
    htp_hook_t *hook_response_trailer_data;

    /**
     * Response trailer hook, invoked after all trailer headers have been processed,
     * and only if the trailer exists.
     */
    htp_hook_t *hook_response_trailer;

    /**
     * Response hook, invoked after a response has been seen. Because sometimes servers
     * respond before receiving complete requests, a response_complete callback may be
     * invoked prior to a request_complete callback.
     */
    htp_hook_t *hook_response_complete;

    /**
     * Transaction complete hook, which is invoked once the entire transaction is
     * considered complete (request and response are both complete). This is always
     * the last hook to be invoked.
     */
    htp_hook_t *hook_transaction_complete;

    /**
     * Log hook, invoked every time the library wants to log.
     */
    htp_hook_t *hook_log;

    /**
     * Opaque user data associated with this configuration structure.
     */
    void *user_data;

    // Request Line parsing options.

    // TODO this was added here to maintain a stable ABI, once we can break that
    // we may want to move this into htp_decoder_cfg_t (VJ)

    /** Reaction to leading whitespace on the request line */
    enum htp_unwanted_t requestline_leading_whitespace_unwanted;

    /** How many layers of compression we will decompress (0 => no limit). */
    int response_decompression_layer_limit;

    /** max memory use by a the lzma decompressor. */
    size_t lzma_memlimit;

    /** max output size for a compression bomb. */
    int32_t compression_bomb_limit;

    /** max time for a decompression bomb. */
    int32_t compression_time_limit;

    /** How many layers of compression we will decompress (0 => no lzma). */
    int response_lzma_layer_limit;

    /** Whether to decompress compressed request bodies. */
    int request_decompression_enabled;

    /** Maximum number of transactions. */
    uint32_t max_tx;
};

#ifdef	__cplusplus
}
#endif

#endif	/* HTP_CONFIG_PRIVATE H */