fix parsing: stricter checks for CRLF

c-cube · c-cube · commit d38eb852f807 · 2024-10-13T20:42:26.000-04:00
diff --git a/src/core/headers.ml b/src/core/headers.ml
@@ -50,7 +50,10 @@ let parse_ ~(buf : Buf.t) (bs : IO.Input.t) : t =
   let rec loop acc =
     match IO.Input.read_line_using_opt ~buf bs with
     | None -> raise End_of_file
+    | Some "" -> assert false
     | Some "\r" -> acc
+    | Some line when line.[String.length line - 1] <> '\r' ->
+      bad_reqf 400 "bad header line, not ended in CRLF"
     | Some line ->
       let k, v =
         try
diff --git a/src/core/request.ml b/src/core/request.ml
@@ -110,6 +110,9 @@ let parse_req_start ~client_addr ~get_time_s ~buf (bs : IO.Input.t) :
   try
     let line = IO.Input.read_line_using ~buf bs in
     Log.debug (fun k -> k "parse request line: %S" line);
+
+    if line <> "" && line.[String.length line - 1] <> '\r' then
+      bad_reqf 400 "invalid status line, not ending in CRLF";
     let start_time = get_time_s () in
     let meth, path, version =
       try
