Skip to content

Function tfw_http_meth_str2id is totally wrong #2362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
EvgeniiMekhanik opened this issue Mar 14, 2025 · 2 comments
Open

Function tfw_http_meth_str2id is totally wrong #2362

EvgeniiMekhanik opened this issue Mar 14, 2025 · 2 comments
Assignees
@WitalyAnisimov
Labels
bug h2 low priority
Milestone
0.9 - LA

Comments

@EvgeniiMekhanik
Copy link
Contributor

In tfw_http_meth_str2id function we check first letter in chunk and the length of header and return method type according to it. It is totally wrong, because we return method 'PUT' if the real method was 'PAT' or 'POT'
and so on. This function should be reworked
@EvgeniiMekhanik EvgeniiMekhanik added this to the 0.9 - LA milestone Mar 14, 2025
@const-t const-t mentioned this issue Mar 17, 2025
Merged
@krizhanovsky krizhanovsky modified the milestones: 0.9 - LA, 1.0 - GA Mar 17, 2025
@krizhanovsky
Copy link
Contributor

krizhanovsky commented Apr 9, 2025
edited
Loading

Why do we allow unknown methods at first place? Who uses such methods?

I believe we need to block all unknown methods on the HTTP parser and HPACK levels. This will make the parser faster, more robust and secure. See commit 73d30d4

This should be done as the transition to observability #2399

@krizhanovsky krizhanovsky modified the milestones: 1.0 - GA, 0.9 - LA Apr 9, 2025
@krizhanovsky
Copy link
Contributor

Unknown methods were introduced in 03aac71 . The test https://github.com/tempesta-tech/tempesta/blob/master/fw/t/unit/test_http1_parser.c#L97 enumerates plenty of methods, unsupported by Tempesta FW, but still common in the Intenet, e.g. CONNECT or VERSION-CONTROL from WebDAV.

It makes sense to preserve the ability to proxy unknown headers, but yes, we should go with method PUT only if we explicitly parsed PUT, not PUTX or soemething like this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@WitalyAnisimov WitalyAnisimov

Labels
bug h2 low priority
Projects
None yet
Milestone
0.9 - LA
Development

No branches or pull requests
3 participants
@krizhanovsky @EvgeniiMekhanik @WitalyAnisimov