httpd: don't allow tabs and multiple spaces in request string

HTTP standard doesn't allow it and no sane clients should ever use it.

function                                             old     new   delta
handle_incoming_and_exit                            2795    2785     -10

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/networking/httpd.c b/networking/httpd.c
index 1934bb27eb71fcae437cd46193ba515bc89b4b6e..b46eb0fabca9dcdaad5b2ef8b7e33da8c9612c67 100644 (file)
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
                send_headers_and_exit(HTTP_BAD_REQUEST);
 
        /* Determine type of request (GET/POST) */
-       urlp = strpbrk(iobuf, " \t");
+       // rfc2616: method and URI is separated by exactly one space
+       //urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
+       urlp = strchr(iobuf, ' ');
        if (urlp == NULL)
                send_headers_and_exit(HTTP_BAD_REQUEST);
        *urlp++ = '\0';
@@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
        if (strcasecmp(iobuf, request_GET) != 0)
                send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
 #endif
-       urlp = skip_whitespace(urlp);
+       // rfc2616: method and URI is separated by exactly one space
+       //urlp = skip_whitespace(urlp); - should not be necessary
        if (urlp[0] != '/')
                send_headers_and_exit(HTTP_BAD_REQUEST);