More comprehensive test for illegal characters in HTTP/1 headers.

bin/varnishd/http1/cache_http1_proto.c

@@ -122,10 +122,15 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc)
 		if (vct_iscrlf(p))
 			break;
 		while (r < htc->rxbuf_e) {
-			if (!vct_iscrlf(r)) {
+			if (!vct_isctl(*r) || vct_issp(*r)) {
 				r++;
 				continue;
 			}
+			if (!vct_iscrlf(r)) {
+				VSLb(hp->vsl, SLT_BogoHeader,
+				    "Header has ctrl char 0x%02x", *r);
+				return (400);
+			}
 			q = r;
 			assert(r < htc->rxbuf_e);
 			r += vct_skipcrlf(r);

bin/varnishtest/tests/b00040.vtc

@@ -8,6 +8,15 @@ server s1 {
 
 varnish v1 -vcl+backend { } -start
 
+logexpect l1 -v v1 -g raw {
+	expect * 1001 BogoHeader {1st header has white space:.*}
+	expect * 1003 BogoHeader {1st header has white space:.*}
+	expect * 1005 BogoHeader {Header has ctrl char 0x0d}
+	expect * 1010 BogoHeader {Header has ctrl char 0x01}
+	expect * 1012 BogoHeader {Header has ctrl char 0x0d}
+	expect * 1014 BogoHeader {Header has ctrl char 0x0d}
+} -start
+
 client c1 {
 	send "GET /1 HTTP/1.1\r\n"
 	send " Host: foo\r\n"
@@ -41,3 +50,27 @@ client c1 {
 	rxresp
 	expect resp.status == 200
 } -run
+delay .1
+
+client c1 {
+	send "GET /5 HTTP/1.1\r\nHost: localhost\r\nBogo: Header\001More\r\n\r\n"
+	rxresp
+	expect resp.status == 400
+} -run
+delay .1
+
+client c1 {
+	send "GET /6 HTTP/1.1\r\nHost: localhost\r\nBogo: Header\r\r\n\r\n"
+	rxresp
+	expect resp.status == 400
+} -run
+delay .1
+
+client c1 {
+	send "GET /7 HTTP/1.1\r\nHost: localhost\r\nBogo: Header\rMore\r\n\r\n"
+	rxresp
+	expect resp.status == 400
+} -run
+
+logexpect l1 -wait
+