Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Special characters in URI corrupt request object #2751

Closed
sshymko opened this issue Aug 8, 2019 · 6 comments
Closed

Special characters in URI corrupt request object #2751

sshymko opened this issue Aug 8, 2019 · 6 comments
Labels
in progress Maintainers are working on this

Comments

@sshymko
Copy link
Contributor

sshymko commented Aug 8, 2019
edited
Loading

Preconditions:

  • Swoole 4.x (any version)

Steps to reproduce:

  1. Create a simple Swoole server that responds with request debug information: 
    $server = new \Swoole\Http\Server('127.0.0.1', 8180);
$server->on('request', function ($request, $response) {
    $response->header('Content-Type', 'text/plain');
    $debug = [
        'server' => $request->server,
        'headers' => $request->header,
    ];
    $response->end(var_export($debug, true));
});
$server->start();
  2. Send request with special characters in headers: 
    curl 'http://127.0.0.1:8180/test' \
    -H 'X-Test-Header: test™'
  3. Send request with special characters in both URI and headers: 
    curl 'http://127.0.0.1:8180/test™' \
    -H 'X-Test-Header: test™'

Expected result:

  • Swoole parses request data with special characters in headers
  • Swoole parses request data with special characters in URI
  • Special characters are available in request object: 
    array (
  'server' => 
  array (
    'request_method' => 'GET',
    'request_uri' => '/test™',
    'path_info' => '/test™',
    'request_time' => 1565292046,
    'request_time_float' => 1565292047.800587,
    'server_port' => 8180,
    'remote_port' => 55166,
    'remote_addr' => '127.0.0.1',
    'master_time' => 1565292046,
    'server_protocol' => 'HTTP/1.1',
  ),
  'headers' => 
  array (
    'host' => '127.0.0.1:8180',
    'user-agent' => 'curl/7.61.1',
    'accept' => '*/*',
    'x-test-header' => 'test™',
  ),
)

Actual result:

  • Swoole parses request data with special characters in headers
  • Swoole DOES NOT support special characters in URI
  • Special characters in URI corrupt request object: 
    array (
  'server' => 
  array (
    'request_method' => 'GET',
    'request_uri' => '',
    'path_info' => '',
    'request_time' => 1565292054,
    'request_time_float' => 1565292055.176415,
    'server_port' => 8180,
    'remote_port' => 55168,
    'remote_addr' => '127.0.0.1',
    'master_time' => 1565292054,
    'server_protocol' => 'HTTP/1.0',
  ),
  'headers' => 
  array (
  ),
)
    Notice empty request_uri, path_info, headers and protocol HTTP/1.0 instead of HTTP/1.1.
@sshymko
Copy link
Contributor Author

sshymko commented Aug 8, 2019

Although special characters are expected to be encoded in a valid URI, nothing prevents sending (malicious) requests with raw data. Moreover, the industry standard technologies all support special characters in URI, namely, Nginx and PHP-FPM both parse the requests successfully.

@sshymko
Copy link
Contributor Author

sshymko commented Aug 8, 2019
edited
Loading

Note that Swoole does support special characters in request headers. The problem is only with URI. Headers are shown to demonstrate that special characters in URI also prevent headers parsing.

@twose
Copy link
Member

twose commented Aug 9, 2019

Swoole use http_parser, it's probably a bug of http_parser

@twose twose added the in progress Maintainers are working on this label Aug 9, 2019
@sshymko
Copy link
Contributor Author

sshymko commented Aug 9, 2019

@twose
Looks like the parsing issue is happening here:
https://github.com/swoole/swoole-src/blob/master/thirdparty/swoole_http_parser.c#L691

sshymko added a commit to upscalesoftware/swoole-src that referenced this issue Aug 9, 2019
@sshymko
Fix support of unicode URI path
e7b89d4 
- Remove strict validation of URI path characters
- Resolve swoole#2751 Special characters in URI corrupt request object
@sshymko
Copy link
Contributor Author

sshymko commented Aug 9, 2019
edited
Loading

@twose
Removing restriction on URI path characters upscalesoftware@af89876 should fix the issue.

sshymko added a commit to upscalesoftware/swoole-src that referenced this issue Aug 9, 2019
@sshymko
Fix support of unicode URI path
af89876 
- Remove strict validation of URI path characters
- Resolve swoole#2751 Special characters in URI corrupt request object
@sshymko sshymko mentioned this issue Aug 9, 2019
Closed
@matyhtf
Copy link
Member

matyhtf commented Aug 13, 2019

From twosee: According to the HTTP specification, special characters in URIs should be encoded

twose added a commit that referenced this issue Aug 16, 2019
@twose
Add a test for #2751
e7de89b
@hhxsv5 hhxsv5 mentioned this issue Sep 2, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in progress Maintainers are working on this
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix support of unicode URI path upscalesoftware/swoole-src
3 participants
@sshymko @matyhtf @twose