Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libhtp for openSUSE:Factory checked in at 2024-04-30 17:28:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libhtp (Old) and /work/SRC/openSUSE:Factory/.libhtp.new.1880 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libhtp" Tue Apr 30 17:28:13 2024 rev:18 rq:1170919 version:0.5.48 Changes: -------- --- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes 2024-02-22 21:02:45.988484438 +0100 +++ /work/SRC/openSUSE:Factory/.libhtp.new.1880/libhtp.changes 2024-04-30 17:29:52.215648591 +0200 @@ -1,0 +2,9 @@ +Thu Apr 25 20:11:06 UTC 2024 - Martin Hauke <mardnh@gmx.de> + +- Update to version 0.5.48 + * decompressor: only take erroneous data on first try + * autotools: run autoupdate to modernize build system +- Update to version 0.5.47 + * request: limit probing after missing protocol + +------------------------------------------------------------------- Old: ---- libhtp-0.5.46.tar.gz New: ---- libhtp-0.5.48.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libhtp.spec ++++++ --- /var/tmp/diff_new_pack.QJ6P31/_old 2024-04-30 17:29:52.635663864 +0200 +++ /var/tmp/diff_new_pack.QJ6P31/_new 2024-04-30 17:29:52.635663864 +0200 @@ -19,7 +19,7 @@ %define sover 2 %define lname %{name}%{sover} Name: libhtp -Version: 0.5.46 +Version: 0.5.48 Release: 0 Summary: HTTP normalizer and parser License: BSD-3-Clause ++++++ libhtp-0.5.46.tar.gz -> libhtp-0.5.48.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.46/ChangeLog new/libhtp-0.5.48/ChangeLog --- old/libhtp-0.5.46/ChangeLog 2024-02-08 05:34:38.000000000 +0100 +++ new/libhtp-0.5.48/ChangeLog 2024-04-22 16:41:50.000000000 +0200 @@ -1,3 +1,15 @@ +0.5.48 (22 April 2024) +---------------------- + +- decompressor: only take erroneous data on first try + +- autotools: run autoupdate to modernize build system + +0.5.47 (19 March 2024) +---------------------- + +- request: limit probing after missing protocol + 0.5.46 (08 February 2024) ------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.46/VERSION new/libhtp-0.5.48/VERSION --- old/libhtp-0.5.46/VERSION 2024-02-08 05:34:38.000000000 +0100 +++ new/libhtp-0.5.48/VERSION 2024-04-22 16:41:50.000000000 +0200 @@ -1,2 +1,2 @@ # This file is intended to be sourced by sh -PKG_VERSION=0.5.46 +PKG_VERSION=0.5.48 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.46/configure.ac new/libhtp-0.5.48/configure.ac --- old/libhtp-0.5.46/configure.ac 2024-02-08 05:34:38.000000000 +0100 +++ new/libhtp-0.5.48/configure.ac 2024-04-22 16:41:50.000000000 +0200 @@ -3,7 +3,7 @@ dnl Initialization macros dnl ---------------------- -AC_INIT([LibHTP], m4_esyscmd([./get-version.sh VERSION])) +AC_INIT([LibHTP],[m4_esyscmd(./get-version.sh VERSION)]) AM_INIT_AUTOMAKE() AC_CONFIG_HEADERS([htp_config_auto_gen.h]) @@ -86,7 +86,7 @@ AC_PROG_CC AM_PROG_CC_C_O AC_PROG_CXX -AM_PROG_LIBTOOL +LT_INIT AM_SANITY_CHECK # Checks for library functions @@ -99,7 +99,7 @@ dnl ----------------------------------------------- dnl Checks for libs. dnl ----------------------------------------------- -AC_CHECK_HEADER(zlib.h,,[AC_ERROR(zlib.h not found ...)]) +AC_CHECK_HEADER(zlib.h,,[AC_MSG_ERROR(zlib.h not found ...)]) ZLIB="" AC_CHECK_LIB(z, inflate,, ZLIB="no") if test "$ZLIB" = "no"; then @@ -161,13 +161,11 @@ TMPLIBS="${LIBS}" LIBS="${LIBS} ${LIBICONV}" -AC_TRY_LINK([#include <stdlib.h> - #include <iconv.h>], - [int iconv_param = 0; +AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <stdlib.h> + #include <iconv.h>]], [[int iconv_param = 0; iconv_t cd = iconv_open("",""); iconvctl(cd, ICONV_SET_DISCARD_ILSEQ, &iconv_param); - iconv_close(cd);], - [ac_cv_func_iconvctl=yes]) + iconv_close(cd);]])],[ac_cv_func_iconvctl=yes],[]) AC_MSG_RESULT($ac_cv_func_iconvctl) if test "$ac_cv_func_iconvctl" == yes; then AC_DEFINE(HAVE_ICONVCTL,1,"Define to 1 if you have the `iconvctl' function.") @@ -185,7 +183,7 @@ AC_MSG_CHECKING(for gcc support of -Wstrict-overflow=1) TMPCFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} -Wstrict-overflow=1" -AC_TRY_COMPILE(,,[gcc_have_strict_overflow=yes],[gcc_have_strict_overflow=no]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[gcc_have_strict_overflow=yes],[gcc_have_strict_overflow=no]) AC_MSG_RESULT($gcc_have_strict_overflow) if test "$gcc_have_strict_overflow" != "yes"; then CFLAGS="${TMPCFLAGS}" @@ -198,7 +196,7 @@ AC_MSG_CHECKING(for gcc support of stack smashing protection) TMPCFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} -fstack-protector" -AC_TRY_COMPILE(,,[gcc_have_fstack_protector=yes],[gcc_have_fstack_protector=no]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[gcc_have_fstack_protector=yes],[gcc_have_fstack_protector=no]) AC_MSG_RESULT($gcc_have_fstack_protector) if test "$gcc_have_fstack_protector" != "yes"; then CFLAGS="${TMPCFLAGS}" @@ -211,7 +209,7 @@ AC_MSG_CHECKING(for gcc support of FORTIFY_SOURCE) TMPCFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" -AC_TRY_COMPILE(,,[gcc_have_fortify_source=yes],[gcc_have_fortify_source=no]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[gcc_have_fortify_source=yes],[gcc_have_fortify_source=no]) AC_MSG_RESULT($gcc_have_fortify_source) if test "$gcc_have_fortify_source" != "yes"; then CFLAGS="${TMPCFLAGS}" @@ -223,7 +221,7 @@ AC_MSG_CHECKING(for gcc support of -Wformat -Wformat-security) TMPCFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} -Wformat -Wformat-security" -AC_TRY_COMPILE(,,[gcc_have_format_security=yes],[gcc_have_format_security=no]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[gcc_have_format_security=yes],[gcc_have_format_security=no]) AC_MSG_RESULT($gcc_have_format_security) if test "$gcc_have_format_security" != "yes"; then CFLAGS="${TMPCFLAGS}" @@ -232,7 +230,7 @@ AC_MSG_CHECKING(for gcc support of -fPIC) TMPCFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} -fPIC" -AC_TRY_COMPILE(,,[gcc_have_fpic=yes],[gcc_have_fpic=no]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],[gcc_have_fpic=yes],[gcc_have_fpic=no]) AC_MSG_RESULT($gcc_have_fpic) if test "$gcc_have_fpic" != "yes"; then CFLAGS="${TMPCFLAGS}" @@ -266,10 +264,11 @@ dnl ----------------------------------------------- AC_PREFIX_DEFAULT(/usr/local) -AC_OUTPUT(Makefile \ +AC_CONFIG_FILES([Makefile \ htp.pc \ htp/Makefile \ htp/lzma/Makefile \ test/Makefile \ docs/Makefile -) +]) +AC_OUTPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.46/htp/htp_decompressors.c new/libhtp-0.5.48/htp/htp_decompressors.c --- old/libhtp-0.5.46/htp/htp_decompressors.c 2024-02-08 05:34:38.000000000 +0100 +++ new/libhtp-0.5.48/htp/htp_decompressors.c 2024-04-22 16:41:50.000000000 +0200 @@ -317,7 +317,7 @@ return HTP_ERROR; } if (GZIP_BUF_SIZE > drec->stream.avail_out) { - if (rc == Z_DATA_ERROR) { + if (rc == Z_DATA_ERROR && drec->restart == 0) { // There is data even if there is an error // So use this data and log a warning htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.46/htp/htp_request.c new/libhtp-0.5.48/htp/htp_request.c --- old/libhtp-0.5.46/htp/htp_request.c 2024-02-08 05:34:38.000000000 +0100 +++ new/libhtp-0.5.48/htp/htp_request.c 2024-04-22 16:41:50.000000000 +0200 @@ -732,6 +732,14 @@ return HTP_ERROR; } +// HTTP/0.9 is supposed to be only a request line without protocol. +// Libhtp will still consider the request to be HTTP/0.9 if there +// are some junk whitespaces after that request line. +// Libhtp allows the small value of 16 extra bytes/whitespaces, +// otherwise we consider it to be a HTTP/1.x request with missing protocol. +// It is unlikely to meet HTTP/0.9, and we want to limit probing. +#define HTTP09_MAX_JUNK_LEN 16 + /** * Determines request protocol. * @@ -749,6 +757,14 @@ // Let's check if the protocol was simply missing int64_t pos = connp->in_current_read_offset; // Probe if data looks like a header line + if (connp->in_current_len > connp->in_current_read_offset + HTTP09_MAX_JUNK_LEN) { + htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line: missing protocol"); + connp->in_tx->is_protocol_0_9 = 0; + // Switch to request header parsing. + connp->in_state = htp_connp_REQ_HEADERS; + connp->in_tx->request_progress = HTP_REQUEST_HEADERS; + return HTP_OK; + } while (pos < connp->in_current_len) { if (!htp_is_space(connp->in_current_data[pos])) { htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line: missing protocol");