Actually silently ignore GET / OCSP requests
authorViktor Dukhovni <openssl-users@dukhovni.org>
Mon, 15 Jul 2019 17:12:04 +0000 (13:12 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Tue, 16 Jul 2019 10:14:36 +0000 (06:14 -0400)
Reviewed-by: Matt Caswell <matt@openssl.org>
apps/ocsp.c

index 066a2e43af2b1e21172a999e7e518daa988f672f..5d2391816995c390f3aee223cb27316e57b2222f 100644 (file)
@@ -1416,9 +1416,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
         *q = '\0';
 
         /*
-         * Skip "GET / HTTP..." requests often used by load-balancers
+         * Skip "GET / HTTP..." requests often used by load-balancers.  Note:
+         * 'p' was incremented above to point to the first byte *after* the
+         * leading slash, so with 'GET / ' it is now an empty string.
          */
-        if (p[1] == '\0')
+        if (p[0] == '\0')
             goto out;
 
         len = urldecode(p);