Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libhtp for openSUSE:Factory checked in at 2023-06-30 19:58:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libhtp (Old) and /work/SRC/openSUSE:Factory/.libhtp.new.13546 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libhtp" Fri Jun 30 19:58:48 2023 rev:15 rq:1096030 version:0.5.44 Changes: -------- --- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes 2023-04-29 17:28:24.606609881 +0200 +++ /work/SRC/openSUSE:Factory/.libhtp.new.13546/libhtp.changes 2023-06-30 19:59:08.413739106 +0200 @@ -1,0 +2,8 @@ +Tue Jun 20 07:19:24 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com> + +- Update to version 0.5.44 + * response: only trim spaces at headers names end + * response: skips lines before response line + * headers: log a warning for chunks extension + +------------------------------------------------------------------- Old: ---- libhtp-0.5.43.tar.gz New: ---- libhtp-0.5.44.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libhtp.spec ++++++ --- /var/tmp/diff_new_pack.C1LlxR/_old 2023-06-30 19:59:09.597746148 +0200 +++ /var/tmp/diff_new_pack.C1LlxR/_new 2023-06-30 19:59:09.633746362 +0200 @@ -19,7 +19,7 @@ %define sover 2 %define lname %{name}%{sover} Name: libhtp -Version: 0.5.43 +Version: 0.5.44 Release: 0 Summary: HTTP normalizer and parser License: BSD-3-Clause ++++++ libhtp-0.5.43.tar.gz -> libhtp-0.5.44.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/ChangeLog new/libhtp-0.5.44/ChangeLog --- old/libhtp-0.5.43/ChangeLog 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/ChangeLog 2023-06-13 15:14:36.000000000 +0200 @@ -1,3 +1,12 @@ +0.5.44 (13 June 2023) +--------------------- + +- response: only trim spaces at headers names end + +- response: skips lines before response line + +- headers: log a warning for chunks extension + 0.5.43 (13 April 2023) ---------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/VERSION new/libhtp-0.5.44/VERSION --- old/libhtp-0.5.43/VERSION 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/VERSION 2023-06-13 15:14:36.000000000 +0200 @@ -1,2 +1,2 @@ # This file is intended to be sourced by sh -PKG_VERSION=0.5.43 +PKG_VERSION=0.5.44 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_private.h new/libhtp-0.5.44/htp/htp_private.h --- old/libhtp-0.5.43/htp/htp_private.h 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/htp/htp_private.h 2023-06-13 15:14:36.000000000 +0200 @@ -181,7 +181,7 @@ void htp_utf8_validate_path(htp_tx_t *tx, bstr *path); int64_t htp_parse_content_length(bstr *b, htp_connp_t *connp); -int64_t htp_parse_chunked_length(unsigned char *data, size_t len); +int64_t htp_parse_chunked_length(unsigned char *data, size_t len, int *extension); int64_t htp_parse_positive_integer_whitespace(unsigned char *data, size_t len, int base); int htp_parse_status(bstr *status); int htp_parse_authorization_digest(htp_connp_t *connp, htp_header_t *auth_header); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_request.c new/libhtp-0.5.44/htp/htp_request.c --- old/libhtp-0.5.43/htp/htp_request.c 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/htp/htp_request.c 2023-06-13 15:14:36.000000000 +0200 @@ -499,7 +499,11 @@ htp_chomp(data, &len); - connp->in_chunked_length = htp_parse_chunked_length(data, len); + int chunk_ext = 0; + connp->in_chunked_length = htp_parse_chunked_length(data, len, &chunk_ext); + if (chunk_ext == 1) { + htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request chunk extension"); + } htp_connp_req_clear_buffer(connp); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_response.c new/libhtp-0.5.44/htp/htp_response.c --- old/libhtp-0.5.43/htp/htp_response.c 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/htp/htp_response.c 2023-06-13 15:14:36.000000000 +0200 @@ -415,8 +415,11 @@ fprint_raw_data(stderr, "Chunk length line", data, len); #endif - connp->out_chunked_length = htp_parse_chunked_length(data, len); - + int chunk_ext = 0; + connp->out_chunked_length = htp_parse_chunked_length(data, len, &chunk_ext); + if (chunk_ext == 1) { + htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request chunk extension"); + } // empty chunk length line, lets try to continue if (connp->out_chunked_length == -1004) { connp->out_current_consume_offset = connp->out_current_read_offset; @@ -1075,6 +1078,12 @@ // data as a response body because that is what browsers do. if (htp_treat_response_line_as_body(data, len)) { + // if we have a next line beginning with H, skip this one + if (connp->out_current_read_offset+1 < connp->out_current_len && (connp->out_current_data[connp->out_current_read_offset] == 'H' || len <= 2)) { + connp->out_tx->response_ignored_lines++; + htp_connp_res_clear_buffer(connp); + return HTP_OK; + } connp->out_tx->response_content_encoding_processing = HTP_COMPRESSION_NONE; connp->out_current_consume_offset = connp->out_current_read_offset; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_response_generic.c new/libhtp-0.5.44/htp/htp_response_generic.c --- old/libhtp-0.5.43/htp/htp_response_generic.c 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/htp/htp_response_generic.c 2023-06-13 15:14:36.000000000 +0200 @@ -173,7 +173,7 @@ // Ignore unprintable after field-name. prev = name_end; - while ((prev > name_start) && (data[prev - 1] <= 0x20)) { + while ((prev > name_start) && htp_is_space(data[prev - 1])) { prev--; name_end--; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/htp/htp_util.c new/libhtp-0.5.44/htp/htp_util.c --- old/libhtp-0.5.43/htp/htp_util.c 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/htp/htp_util.c 2023-06-13 15:14:36.000000000 +0200 @@ -300,7 +300,7 @@ * @param[in] len * @return Chunk length, or a negative number on error. */ -int64_t htp_parse_chunked_length(unsigned char *data, size_t len) { +int64_t htp_parse_chunked_length(unsigned char *data, size_t len, int *extension) { // skip leading line feeds and other control chars while (len) { unsigned char c = *data; @@ -323,6 +323,16 @@ } // cut off trailing junk if (i != len) { + if (extension) { + size_t j = i; + while (j < len) { + if (data[j] == ';') { + *extension = 1; + break; + } + j++; + } + } len = i; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.43/test/test_utils.cpp new/libhtp-0.5.44/test/test_utils.cpp --- old/libhtp-0.5.43/test/test_utils.cpp 2023-04-13 10:41:58.000000000 +0200 +++ new/libhtp-0.5.44/test/test_utils.cpp 2023-06-13 15:14:36.000000000 +0200 @@ -215,7 +215,7 @@ } TEST(UtilTest, ParseChunkedLength) { - EXPECT_EQ(0x12a5, htp_parse_chunked_length((unsigned char*) "12a5", 4)); + EXPECT_EQ(0x12a5, htp_parse_chunked_length((unsigned char*) "12a5", 4, NULL)); } TEST(UtilTest, IsLineFolded) {