Merged PR 25295: Allow spaces between the url and http version (#43704)

Tratcher · web-flow · commit b7db82a7a04d · 2022-09-07T09:08:49.000-07:00
# Allow spaces between the url and http version

## Description

This is a change for app service to allow requests that have extra spaces between the url and http version. E.g. "GET(sp)/(sp)(sp)HTTP/1.1\r\n". The spec only allows one space, but some clients send more than one and IIS/Http.Sys allow it.

## Customer Impact

The customer regressed when app service moved to Kestrel. The customer doesn't expect to be able to update/replace the affected clients for 3+ years.

## Regression?

- [ ] Yes
- [ ] No
- [x] Umm...

Not a regression in Kestrel, but a compat break for customers moving from IIS/Http.Sys.

## Risk

- [ ] High
- [ ] Medium
- [x] Low

Constrained, unit testable.

## Verification

- [x] Manual (required)
- [x] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A
diff --git a/src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs b/src/Servers/Kestrel/Core/src/Internal/Http/HttpParser.cs
@@ -148,6 +148,14 @@ private void ParseRequestLine(TRequestHandler handler, ReadOnlySpan<byte> reques
             // Consume space
             offset++;
 
+            while ((uint)offset < (uint)requestLine.Length
+                && requestLine[offset] == ByteSpace)
+            {
+                // It's invalid to have multiple spaces between the url resource and version
+                // but some clients do it. Skip them.
+                offset++;
+            }
+
             // Version + CR is 9 bytes which should take us to .Length
             // LF should have been dropped prior to method call
             if ((uint)offset + 9 != (uint)requestLine.Length || requestLine[offset + sizeof(ulong)] != ByteCR)
diff --git a/src/Servers/Kestrel/shared/test/HttpParsingData.cs b/src/Servers/Kestrel/shared/test/HttpParsingData.cs
@@ -76,7 +76,9 @@ public static IEnumerable<string[]> RequestLineValidData
                 var httpVersions = new[]
                 {
                     "HTTP/1.0",
-                    "HTTP/1.1"
+                    "HTTP/1.1",
+                    " HTTP/1.1",
+                    "   HTTP/1.1"
                 };
 
                 return from method in methods
@@ -91,7 +93,7 @@ select new[]
                            $"{path.Item1}",
                            $"{path.Item2}",
                            queryString,
-                           httpVersion
+                           httpVersion.Trim()
                        };
             }
         }
@@ -164,6 +166,12 @@ public static IEnumerable<string> RequestLineInvalidData
                     "GET / HTTP/1.1\n",
                     "GET / HTTP/1.0\rA\n",
                     "GET / HTTP/1.1\ra\n",
+                    "GET  / HTTP/1.1\r\n",
+                    "GET   / HTTP/1.1\r\n",
+                    "GET  /  HTTP/1.1\r\n",
+                    "GET   /   HTTP/1.1\r\n",
+                    "GET / HTTP/1.1 \r\n",
+                    "GET / HTTP/1.1  \r\n",
                     "GET / H\r\n",
                     "GET / HT\r\n",
                     "GET / HTT\r\n",
@@ -195,6 +203,12 @@ public static IEnumerable<string> RequestLineInvalidData
                     "CUSTOM / HTTP/1.1\n",
                     "CUSTOM / HTTP/1.0\rA\n",
                     "CUSTOM / HTTP/1.1\ra\n",
+                    "CUSTOM  / HTTP/1.1\r\n",
+                    "CUSTOM   / HTTP/1.1\r\n",
+                    "CUSTOM  /  HTTP/1.1\r\n",
+                    "CUSTOM   /   HTTP/1.1\r\n",
+                    "CUSTOM / HTTP/1.1 \r\n",
+                    "CUSTOM / HTTP/1.1  \r\n",
                     "CUSTOM / H\r\n",
                     "CUSTOM / HT\r\n",
                     "CUSTOM / HTT\r\n",
