From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1n7rPk-000230-Ck for mharc-grub-devel@gnu.org; Wed, 12 Jan 2022 23:08:40 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41452) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n7rPj-00022q-Ip for grub-devel@gnu.org; Wed, 12 Jan 2022 23:08:39 -0500 Received: from [2607:f8b0:4864:20::82a] (port=43711 helo=mail-qt1-x82a.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n7rPh-0002rM-L4 for grub-devel@gnu.org; Wed, 12 Jan 2022 23:08:38 -0500 Received: by mail-qt1-x82a.google.com with SMTP id q14so5615229qtx.10 for ; Wed, 12 Jan 2022 20:08:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20210112.gappssmtp.com; s=20210112; h=date:from:to:cc:subject:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=iXCi4vwX5NJsuqWUOGO3RTpfRpiacqaoW2uu4dmJ98A=; b=tKkH+ocBJalf/55S+2Yrk96jbKwLNVPQN6SZOHWxA3bOr1bP8c5Hu2G9YCC2638gTg ZqE7LhLmtQhcI45To6ZEA+qElSTPS5uj2/AMbTW8fGg8cgS0RNbOrp6S0TIoVV6rYOI3 gFJN/UIxM9SkaoavsTO3qBLMBqpMS5tLc2hh1MXVt7l7eEN9m05jjMzSCjh+lPyQfFYQ CVtdaszqCqc1zVpEgEwcGjaMBWc8ZsXEN25ts2YcngCBuZBNGLlrskosG03xJ2dUEGTl NDya/jOAiDGFaHCtcPfta84TEC4xbLU5cSzGSp0aKM+q4mDdU8cMbun3k7vV68Ue75Qi iylA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=iXCi4vwX5NJsuqWUOGO3RTpfRpiacqaoW2uu4dmJ98A=; b=m/xjB8un3KlIRkl4LlzjM+CvJtmOOP526eX/fr+ciQMfwnWdpBistKl4hViSvnCkGs KBo0MH7VoJCCpmg5caa460HHEHO2SJ6SG3PLkstQt702xYhMORGoL8jIkf4SuoQVeGQq l7MjGXTvNf0gWEZenZIRMEPjJNXxYqqkLx8PdYFyh1esi7a4q/lz2AtfHazSLh93ShOm zrVT+oGedNxvQdq1vj+zvz44cWotQcjJhvfe/u3e3TE3jKCgYSnK5p+n7/r3yGLumC0n pP7LLNAfFBCbGDD00WUcneEf7bORwuw895TVICaxWnwskKuvj6Q1CGdPuROFG9DBa8C2 ZwWw== X-Gm-Message-State: AOAM5313nVSUfBPIOwKhiLs01q0ez+MHeLP7cS1Q9/H+zajtslM+Msev ZobuChJ1CkDeArtfoBfoWjY/HA== X-Google-Smtp-Source: ABdhPJx5niVb60H5IBu4rUfjQdXgad+RqJqylR0YSspy+9LUwZy81OQPkzu8saqll2SlEJoN0OyZPQ== X-Received: by 2002:ac8:5e13:: with SMTP id h19mr2254871qtx.444.1642046916855; Wed, 12 Jan 2022 20:08:36 -0800 (PST) Received: from crass-HP-ZBook-15-G2 ([37.218.244.251]) by smtp.gmail.com with ESMTPSA id 8sm1341301qtz.86.2022.01.12.20.08.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Jan 2022 20:08:36 -0800 (PST) Date: Wed, 12 Jan 2022 22:08:23 -0600 From: Glenn Washburn To: Javier Moragon Cc: The development of GNU GRUB Subject: Re: [PATCH] http module is not checking correctly HTTP headers Message-ID: <20220112220823.5e512f99@crass-HP-ZBook-15-G2> In-Reply-To: References: Reply-To: development@efficientek.com X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::82a (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::82a; envelope-from=development@efficientek.com; helo=mail-qt1-x82a.google.com X-Spam_score_int: -10 X-Spam_score: -1.1 X-Spam_bar: - X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2022 04:08:39 -0000 On Wed, 12 Jan 2022 23:54:58 +0100 Javier Moragon wrote: > According to https://www.ietf.org/rfc/rfc2616.txt 4.2, header names > shall be case insensitive and we are now forced to read headers like > `Content-Length` capitalized. > > The problem with that is when a HTTP server responds with a > `content-length` header in lowercase GRUB gets stuck because HTTP > module doesn't know the length of the transmision and the call never > ends. I've been able to reproduce it and after ignoring the text case > it worked perfectly. > > Here is it my patch proposal: > > diff --git a/grub-core/net/http.c b/grub-core/net/http.c > index b616cf40b..570fa3934 100644 > --- a/grub-core/net/http.c > +++ b/grub-core/net/http.c > @@ -130,7 +130,7 @@ parse_line (grub_file_t file, http_data_t data, > char *ptr, grub_size_t len) > data->first_line_recv = 1; > return GRUB_ERR_NONE; > } > - if (grub_memcmp (ptr, "Content-Length: ", sizeof ("Content-Length: ") - 1) > + if (grub_strncasecmp (ptr, "Content-Length: ", grub_strlen > ("Content-Length: ") ) I don't think there should be a new line here. And why change to grub_strlen? Now the length is calculated everytime at runtime instead of once at compile time. > == 0 && !data->size_recv) > { > ptr += sizeof ("Content-Length: ") - 1; > @@ -138,8 +138,8 @@ parse_line (grub_file_t file, http_data_t data, > char *ptr, grub_size_t len) > data->size_recv = 1; > return GRUB_ERR_NONE; > } > - if (grub_memcmp (ptr, "Transfer-Encoding: chunked", > - sizeof ("Transfer-Encoding: chunked") - 1) == 0) > + if (grub_strncasecmp (ptr, "Transfer-Encoding: chunked", > + grub_strlen ("Transfer-Encoding: chunked") ) == 0) Ditto on the grub_strlen. I also don't like the original indentation of this line and think that it should align with "ptr". > { > data->chunked = 1; > return GRUB_ERR_NONE; Otherwise, it seems like good patch. Glenn