You are now the owner of this repo.

25357679674

Committed 04 May 2026 07:12PM UTC coverage: 89.323% (-0.05%) from 89.377%

Build # 25357679674

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #5567 from randombit/jack/http-crlf

Check for newline and null characters in HTTP inputs

Coverage Stats

107390 of 120226 relevant lines covered (89.32%)

11491029.57 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

68.89

/src/lib/utils/http_util/http_util.cpp

/*
* Sketchy HTTP client
* (C) 2013,2016 Jack Lloyd
*     2017 René Korthaus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/http_util.h>

#include <botan/mem_ops.h>
#include <botan/internal/fmt.h>
#include <botan/internal/mem_utils.h>
#include <botan/internal/parsing.h>
#include <botan/internal/socket.h>
#include <iomanip>
#include <sstream>

namespace Botan::HTTP {

namespace {

/*
* Connect to a host, write some bytes, then read until the server
* closes the socket.
*/
std::string http_transact(std::string_view hostname,
                          std::string_view service,
                          std::string_view message,
                          std::chrono::milliseconds timeout) {
   std::unique_ptr<OS::Socket> socket;

   const std::chrono::system_clock::time_point start_time = std::chrono::system_clock::now();

   try {
      socket = OS::open_socket(hostname, service, timeout);
      if(!socket) {
         throw Not_Implemented("No socket support enabled in build");
      }
   } catch(std::exception& e) {
      throw HTTP_Error(fmt("HTTP connection to {} failed: {}", hostname, e.what()));
   }

   // Blocks until entire message has been written
   socket->write(as_span_of_bytes(message));

   if(std::chrono::system_clock::now() - start_time > timeout) {
      throw HTTP_Error("Timeout during writing message body");
   }

   std::ostringstream oss;
   std::vector<uint8_t> buf(DefaultBufferSize);
   while(true) {
      const size_t got = socket->read(buf.data(), buf.size());
      if(got == 0) {  // EOF
         break;
      }

      if(std::chrono::system_clock::now() - start_time > timeout) {
         throw HTTP_Error("Timeout while reading message body");
      }

      oss.write(cast_uint8_ptr_to_char(buf.data()), static_cast<std::streamsize>(got));
   }

   return oss.str();
}

bool needs_url_encoding(char c) {
   if(c >= 'A' && c <= 'Z') {
      return false;
   }
   if(c >= 'a' && c <= 'z') {
      return false;
   }
   if(c >= '0' && c <= '9') {
      return false;
   }
   if(c == '-' || c == '_' || c == '.' || c == '~') {
      return false;
   }
   return true;
}

void check_no_crlf_nul(std::string_view field, std::string_view value) {
   for(const char c : value) {
      if(c == '\r' || c == '\n' || c == '\0') {
         throw HTTP_Error(fmt("Invalid character in HTTP {}", field));
      }
   }
}

}  // namespace

std::string url_encode(std::string_view in) {
   std::ostringstream out;

   for(auto c : in) {
      if(needs_url_encoding(c)) {
         out << '%' << std::uppercase << std::hex << std::setfill('0') << std::setw(2) << static_cast<int>(c);
         out << std::dec << std::nouppercase;  // reset flags
      } else {
         out << c;
      }
   }

   return out.str();
}

std::ostream& operator<<(std::ostream& o, const Response& resp) {
   o << "HTTP " << resp.status_code() << " " << resp.status_message() << "\n";
   for(const auto& h : resp.headers()) {
      o << "Header '" << h.first << "' = '" << h.second << "'\n";
   }
   o << "Body " << std::to_string(resp.body().size()) << " bytes:\n";
   o.write(cast_uint8_ptr_to_char(resp.body().data()), resp.body().size());
   return o;
}

Response http_sync(const http_exch_fn& http_transact,
                   std::string_view verb,
                   std::string_view url,
                   std::string_view content_type,
                   const std::vector<uint8_t>& body,
                   size_t allowable_redirects) {
   if(url.empty()) {
      throw HTTP_Error("URL empty");
   }

   const auto protocol_host_sep = url.find("://");
   if(protocol_host_sep == std::string::npos) {
      throw HTTP_Error(fmt("Invalid URL '{}'", url));
   }

   const auto host_loc_sep = url.find('/', protocol_host_sep + 3);

   std::string hostname;
   std::string loc;
   std::string service;

   if(host_loc_sep == std::string::npos) {
      hostname = url.substr(protocol_host_sep + 3);
      loc = "/";
   } else {
      hostname = url.substr(protocol_host_sep + 3, host_loc_sep - protocol_host_sep - 3);
      loc = url.substr(host_loc_sep);
   }

   const auto port_sep = hostname.find(':');
   if(port_sep == std::string::npos) {
      service = "http";
      // hostname not modified
   } else {
      service = hostname.substr(port_sep + 1, std::string::npos);
      hostname = hostname.substr(0, port_sep);
   }

   check_no_crlf_nul("verb", verb);
   check_no_crlf_nul("hostname", hostname);
   check_no_crlf_nul("port", service);
   check_no_crlf_nul("path", loc);
   check_no_crlf_nul("content type", content_type);

   std::ostringstream outbuf;

   outbuf << verb << " " << loc << " HTTP/1.0\r\n";
   outbuf << "Host: " << hostname << "\r\n";

   if(verb == "GET") {
      outbuf << "Accept: */*\r\n";
      outbuf << "Cache-Control: no-cache\r\n";
   } else if(verb == "POST") {
      outbuf << "Content-Length: " << body.size() << "\r\n";
   }

   if(!content_type.empty()) {
      outbuf << "Content-Type: " << content_type << "\r\n";
   }
   outbuf << "Connection: close\r\n\r\n";
   outbuf.write(cast_uint8_ptr_to_char(body.data()), body.size());

   std::istringstream io(http_transact(hostname, service, outbuf.str()));

   std::string line1;
   std::getline(io, line1);
   if(!io || line1.empty()) {
      throw HTTP_Error("No response");
   }

   std::stringstream response_stream(line1);
   std::string http_version;
   unsigned int status_code = 0;
   std::string status_message;

   response_stream >> http_version >> status_code;

   std::getline(response_stream, status_message);

   if(!response_stream || !http_version.starts_with("HTTP/")) {
      throw HTTP_Error("Not an HTTP response");
   }

   std::map<std::string, std::string> headers;
   std::string header_line;
   while(std::getline(io, header_line) && header_line != "\r") {
      auto sep = header_line.find(": ");
      if(sep == std::string::npos || sep > header_line.size() - 2) {
         throw HTTP_Error(fmt("Invalid HTTP header '{}'", header_line));
      }
      const std::string key = header_line.substr(0, sep);

      if(sep + 2 < header_line.size() - 1) {
         const std::string val = header_line.substr(sep + 2, (header_line.size() - 1) - (sep + 2));
         headers[key] = val;
      }
   }

   if(status_code == 301 && headers.contains("Location")) {
      if(allowable_redirects == 0) {
         throw HTTP_Error("HTTP redirection count exceeded");
      }
      return GET_sync(headers["Location"], allowable_redirects - 1);
   }

   std::vector<uint8_t> resp_body;
   std::vector<uint8_t> buf(4096);
   while(io.good()) {
      io.read(cast_uint8_ptr_to_char(buf.data()), buf.size());
      const size_t got = static_cast<size_t>(io.gcount());
      resp_body.insert(resp_body.end(), buf.data(), &buf[got]);
   }

   auto cl_hdr = headers.find("Content-Length");
   if(cl_hdr != headers.end()) {
      const std::string header_size = cl_hdr->second;
      if(resp_body.size() != to_u32bit(header_size)) {
         throw HTTP_Error(fmt("Content-Length disagreement, header says {} got {}", header_size, resp_body.size()));
      }
   }

   return Response(status_code, status_message, resp_body, headers);
}

Response http_sync(std::string_view verb,
                   std::string_view url,
                   std::string_view content_type,
                   const std::vector<uint8_t>& body,
                   size_t allowable_redirects,
                   std::chrono::milliseconds timeout) {
   auto transact_with_timeout = [timeout](
                                   std::string_view hostname, std::string_view service, std::string_view message) {
      return http_transact(hostname, service, message, timeout);
   };

   return http_sync(transact_with_timeout, verb, url, content_type, body, allowable_redirects);
}

Response GET_sync(std::string_view url, size_t allowable_redirects, std::chrono::milliseconds timeout) {
   return http_sync("GET", url, "", std::vector<uint8_t>(), allowable_redirects, timeout);
}

Response POST_sync(std::string_view url,
                   std::string_view content_type,
                   const std::vector<uint8_t>& body,
                   size_t allowable_redirects,
                   std::chrono::milliseconds timeout) {
   return http_sync("POST", url, content_type, body, allowable_redirects, timeout);
}

}  // namespace Botan::HTTP

1	/*
2	* Sketchy HTTP client
3	* (C) 2013,2016 Jack Lloyd
4	* 2017 René Korthaus, Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/internal/http_util.h>
10
11	#include <botan/mem_ops.h>
12	#include <botan/internal/fmt.h>
13	#include <botan/internal/mem_utils.h>
14	#include <botan/internal/parsing.h>
15	#include <botan/internal/socket.h>
16	#include <iomanip>
17	#include <sstream>
18
19	namespace Botan::HTTP {
20
21	namespace {
22
23	/*
24	* Connect to a host, write some bytes, then read until the server
25	* closes the socket.
26	*/
27	std::string http_transact(std::string_view hostname,	1✔
28	std::string_view service,
29	std::string_view message,
30	std::chrono::milliseconds timeout) {
31	std::unique_ptr<OS::Socket> socket;	1✔
32
33	const std::chrono::system_clock::time_point start_time = std::chrono::system_clock::now();	1✔
34
35	try {	1✔
36	socket = OS::open_socket(hostname, service, timeout);	1✔
37	if(!socket) {	1✔
38	throw Not_Implemented("No socket support enabled in build");	×
39	}
40	} catch(std::exception& e) {	×
41	throw HTTP_Error(fmt("HTTP connection to {} failed: {}", hostname, e.what()));	×
42	}	×
43
44	// Blocks until entire message has been written
45	socket->write(as_span_of_bytes(message));	1✔
46
47	if(std::chrono::system_clock::now() - start_time > timeout) {	1✔
48	throw HTTP_Error("Timeout during writing message body");	×
49	}
50
51	std::ostringstream oss;	1✔
52	std::vector<uint8_t> buf(DefaultBufferSize);	1✔
53	while(true) {	2✔
54	const size_t got = socket->read(buf.data(), buf.size());	2✔
55	if(got == 0) { // EOF	2✔
56	break;
57	}
58
59	if(std::chrono::system_clock::now() - start_time > timeout) {	1✔
60	throw HTTP_Error("Timeout while reading message body");	×
61	}
62
63	oss.write(cast_uint8_ptr_to_char(buf.data()), static_cast<std::streamsize>(got));	1✔
64	}
65
66	return oss.str();	1✔
67	}	1✔
68
69	bool needs_url_encoding(char c) {	×
70	if(c >= 'A' && c <= 'Z') {	×
71	return false;
72	}
73	if(c >= 'a' && c <= 'z') {
74	return false;
75	}
76	if(c >= '0' && c <= '9') {
77	return false;
78	}
79	if(c == '-' \|\| c == '_' \|\| c == '.' \|\| c == '~') {
80	return false;
81	}
82	return true;
83	}
84
85	void check_no_crlf_nul(std::string_view field, std::string_view value) {	5✔
86	for(const char c : value) {	55✔
87	if(c == '\r' \|\| c == '\n' \|\| c == '\0') {	50✔
88	throw HTTP_Error(fmt("Invalid character in HTTP {}", field));	×
89	}
90	}
91	}	5✔
92
93	} // namespace
94
95	std::string url_encode(std::string_view in) {	×
96	std::ostringstream out;	×
97
98	for(auto c : in) {	×
99	if(needs_url_encoding(c)) {	×
100	out << '%' << std::uppercase << std::hex << std::setfill('0') << std::setw(2) << static_cast<int>(c);	×
101	out << std::dec << std::nouppercase; // reset flags	×
102	} else {
103	out << c;	×
104	}
105	}
106
107	return out.str();	×
108	}	×
109
110	std::ostream& operator<<(std::ostream& o, const Response& resp) {	×
111	o << "HTTP " << resp.status_code() << " " << resp.status_message() << "\n";	×
112	for(const auto& h : resp.headers()) {	×
113	o << "Header '" << h.first << "' = '" << h.second << "'\n";	×
114	}
115	o << "Body " << std::to_string(resp.body().size()) << " bytes:\n";	×
116	o.write(cast_uint8_ptr_to_char(resp.body().data()), resp.body().size());	×
117	return o;	×
118	}
119
120	Response http_sync(const http_exch_fn& http_transact,	1✔
121	std::string_view verb,
122	std::string_view url,
123	std::string_view content_type,
124	const std::vector<uint8_t>& body,
125	size_t allowable_redirects) {
126	if(url.empty()) {	1✔
127	throw HTTP_Error("URL empty");	×
128	}
129
130	const auto protocol_host_sep = url.find("://");	1✔
131	if(protocol_host_sep == std::string::npos) {	1✔
132	throw HTTP_Error(fmt("Invalid URL '{}'", url));	×
133	}
134
135	const auto host_loc_sep = url.find('/', protocol_host_sep + 3);	1✔
136
137	std::string hostname;	1✔
138	std::string loc;	1✔
139	std::string service;	1✔
140
141	if(host_loc_sep == std::string::npos) {	1✔
142	hostname = url.substr(protocol_host_sep + 3);	1✔
143	loc = "/";	1✔
144	} else {
145	hostname = url.substr(protocol_host_sep + 3, host_loc_sep - protocol_host_sep - 3);	×
146	loc = url.substr(host_loc_sep);	×
147	}
148
149	const auto port_sep = hostname.find(':');	1✔
150	if(port_sep == std::string::npos) {	1✔
151	service = "http";	1✔
152	// hostname not modified
153	} else {
154	service = hostname.substr(port_sep + 1, std::string::npos);	×
155	hostname = hostname.substr(0, port_sep);	×
156	}
157
158	check_no_crlf_nul("verb", verb);	1✔
159	check_no_crlf_nul("hostname", hostname);	1✔
160	check_no_crlf_nul("port", service);	1✔
161	check_no_crlf_nul("path", loc);	1✔
162	check_no_crlf_nul("content type", content_type);	1✔
163
164	std::ostringstream outbuf;	1✔
165
166	outbuf << verb << " " << loc << " HTTP/1.0\r\n";	1✔
167	outbuf << "Host: " << hostname << "\r\n";	1✔
168
169	if(verb == "GET") {	1✔
170	outbuf << "Accept: /\r\n";	×
171	outbuf << "Cache-Control: no-cache\r\n";	×
172	} else if(verb == "POST") {	1✔
173	outbuf << "Content-Length: " << body.size() << "\r\n";	1✔
174	}
175
176	if(!content_type.empty()) {	1✔
177	outbuf << "Content-Type: " << content_type << "\r\n";	1✔
178	}
179	outbuf << "Connection: close\r\n\r\n";	1✔
180	outbuf.write(cast_uint8_ptr_to_char(body.data()), body.size());	1✔
181
182	std::istringstream io(http_transact(hostname, service, outbuf.str()));	3✔
183
184	std::string line1;	1✔
185	std::getline(io, line1);	1✔
186	if(!io \|\| line1.empty()) {	1✔
187	throw HTTP_Error("No response");	×
188	}
189
190	std::stringstream response_stream(line1);	1✔
191	std::string http_version;	1✔
192	unsigned int status_code = 0;	1✔
193	std::string status_message;	1✔
194
195	response_stream >> http_version >> status_code;	1✔
196
197	std::getline(response_stream, status_message);	1✔
198
199	if(!response_stream \|\| !http_version.starts_with("HTTP/")) {	2✔
200	throw HTTP_Error("Not an HTTP response");	×
201	}
202
203	std::map<std::string, std::string> headers;	1✔
204	std::string header_line;	1✔
205	while(std::getline(io, header_line) && header_line != "\r") {	6✔
206	auto sep = header_line.find(": ");	5✔
207	if(sep == std::string::npos \|\| sep > header_line.size() - 2) {	5✔
208	throw HTTP_Error(fmt("Invalid HTTP header '{}'", header_line));	×
209	}
210	const std::string key = header_line.substr(0, sep);	5✔
211
212	if(sep + 2 < header_line.size() - 1) {	5✔
213	const std::string val = header_line.substr(sep + 2, (header_line.size() - 1) - (sep + 2));	5✔
214	headers[key] = val;	10✔
215	}	5✔
216	}	5✔
217
218	if(status_code == 301 && headers.contains("Location")) {	1✔
219	if(allowable_redirects == 0) {	×
220	throw HTTP_Error("HTTP redirection count exceeded");	×
221	}
222	return GET_sync(headers["Location"], allowable_redirects - 1);	×
223	}
224
225	std::vector<uint8_t> resp_body;	1✔
226	std::vector<uint8_t> buf(4096);	1✔
227	while(io.good()) {	1✔
228	io.read(cast_uint8_ptr_to_char(buf.data()), buf.size());	1✔
229	const size_t got = static_cast<size_t>(io.gcount());	1✔
230	resp_body.insert(resp_body.end(), buf.data(), &buf[got]);	2✔
231	}
232
233	auto cl_hdr = headers.find("Content-Length");	1✔
234	if(cl_hdr != headers.end()) {	1✔
235	const std::string header_size = cl_hdr->second;	1✔
236	if(resp_body.size() != to_u32bit(header_size)) {	1✔
237	throw HTTP_Error(fmt("Content-Length disagreement, header says {} got {}", header_size, resp_body.size()));	×
238	}
239	}	1✔
240
241	return Response(status_code, status_message, resp_body, headers);	1✔
242	}	2✔
243
244	Response http_sync(std::string_view verb,	1✔
245	std::string_view url,
246	std::string_view content_type,
247	const std::vector<uint8_t>& body,
248	size_t allowable_redirects,
249	std::chrono::milliseconds timeout) {
250	auto transact_with_timeout = [timeout](	2✔
251	std::string_view hostname, std::string_view service, std::string_view message) {
252	return http_transact(hostname, service, message, timeout);	1✔
253	};	1✔
254
255	return http_sync(transact_with_timeout, verb, url, content_type, body, allowable_redirects);	2✔
256	}
257
258	Response GET_sync(std::string_view url, size_t allowable_redirects, std::chrono::milliseconds timeout) {	×
259	return http_sync("GET", url, "", std::vector<uint8_t>(), allowable_redirects, timeout);	×
260	}
261
262	Response POST_sync(std::string_view url,	1✔
263	std::string_view content_type,
264	const std::vector<uint8_t>& body,
265	size_t allowable_redirects,
266	std::chrono::milliseconds timeout) {
267	return http_sync("POST", url, content_type, body, allowable_redirects, timeout);	1✔
268	}
269
270	} // namespace Botan::HTTP

randombit / botan / 25357679674

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous