mirror of
https://github.com/curl/curl.git
synced 2025-01-30 14:22:33 +08:00
ac612dfeee
The existing code tried but did not properly reject alternative services using negative or too large port numbers. With this fix, the logic now also flushes the old entries immediately before adding a new one, making a following header with an illegal entry not flush the already stored entry. Report from the ongoing source code audit by Trail of Bits. Adjusted test 356 to verify. Closes #9607
71 lines
1.2 KiB
Plaintext
71 lines
1.2 KiB
Plaintext
<testcase>
|
|
<info>
|
|
<keywords>
|
|
HTTP
|
|
Alt-Svc
|
|
</keywords>
|
|
</info>
|
|
|
|
#
|
|
# Server-side
|
|
<reply>
|
|
<data>
|
|
HTTP/1.1 200 OK
|
|
Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
Content-Length: 6
|
|
Connection: close
|
|
Content-Type: text/html
|
|
Funny-head: yesyes
|
|
Alt-Svc: h1="nowhere.foo:-1"
|
|
Alt-Svc: h1="nowhere.foo:81", un-kno22!wn=":82"
|
|
Alt-Svc: h1="nowhere.foo:70000"
|
|
|
|
-foo-
|
|
</data>
|
|
</reply>
|
|
|
|
#
|
|
# Client-side
|
|
<client>
|
|
<features>
|
|
debug
|
|
alt-svc
|
|
</features>
|
|
<server>
|
|
http
|
|
</server>
|
|
<name>
|
|
parse incoming Alt-Svc and save to file
|
|
</name>
|
|
<setenv>
|
|
# make debug-curl accept Alt-Svc over plain HTTP
|
|
CURL_ALTSVC_HTTP="yeah"
|
|
</setenv>
|
|
<command>
|
|
http://%HOSTIP:%HTTPPORT/%TESTNUMBER --alt-svc "log/altsvc-%TESTNUMBER"
|
|
</command>
|
|
</client>
|
|
|
|
#
|
|
# Verify data after the test has been "shot"
|
|
<verify>
|
|
<protocol>
|
|
GET /%TESTNUMBER HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
|
|
</protocol>
|
|
<stripfile>
|
|
# strip out the (dynamic) expire date from the file so that the rest
|
|
# matches
|
|
s/\"([^\"]*)\"/TIMESTAMP/
|
|
</stripfile>
|
|
<file name="log/altsvc-%TESTNUMBER" mode="text">
|
|
# Your alt-svc cache. https://curl.se/docs/alt-svc.html
|
|
# This file was generated by libcurl! Edit at your own risk.
|
|
h1 %HOSTIP %HTTPPORT h1 nowhere.foo 81 TIMESTAMP 0 0
|
|
</file>
|
|
</verify>
|
|
</testcase>
|