httpd: don't allow tabs and multiple spaces in request string

HTTP standard doesn't allow it and no sane clients should ever use it.

function                                             old     new   delta
handle_incoming_and_exit                            2795    2785     -10

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/networking/httpd.c b/networking/httpd.c
index 1934bb27e..b46eb0fab 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -1964,7 +1964,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
                 send_headers_and_exit(HTTP_BAD_REQUEST);
 
         /* Determine type of request (GET/POST) */
-        urlp = strpbrk(iobuf, " \t");
+        // rfc2616: method and URI is separated by exactly one space
+        //urlp = strpbrk(iobuf, " \t"); - no, tab isn't allowed
+        urlp = strchr(iobuf, ' ');
         if (urlp == NULL)
                 send_headers_and_exit(HTTP_BAD_REQUEST);
         *urlp++ = '\0';
@@ -1982,7 +1984,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
         if (strcasecmp(iobuf, request_GET) != 0)
                 send_headers_and_exit(HTTP_NOT_IMPLEMENTED);
 #endif
-        urlp = skip_whitespace(urlp);
+        // rfc2616: method and URI is separated by exactly one space
+        //urlp = skip_whitespace(urlp); - should not be necessary
         if (urlp[0] != '/')
                 send_headers_and_exit(HTTP_BAD_REQUEST);