kc3-lang/libevent

Diff

  • Show log

    Commit

  • Hash : 92ea8476
    Author : Ben Kallus
    Date : 2024-02-18T08:56:46 

    Forbid 0x/+/-/whitespace prefixes on HTTP chunk sizes (#1542)

Currently, libevent's HTTP parser accepts and ignores 0x, +, and whitespace prefixes on chunk sizes. It also ignores - prefixes on chunk sizes of 0. This patch fixes that.

There is a potential danger in the current behavior, which is that there exist HTTP implementations that interpret chunk sizes as their longest valid prefix. For those implementations, 0xa (for example) is equivalent to 0, and this may present a request smuggling risk when those implementations are used in conjunction with libevent. However, as far I'm aware, there is no HTTP proxy that both interprets 0xa as 0 and forwards it verbatim, so I think this is a low-risk bug that is acceptable to report in public.

  • README.md

  • libevent logo

    CI Coverage Status Join the chat at https://gitter.im/libevent/libevent doxygen OpenSSF Scorecard

    1. BUILDING AND INSTALLATION

    CMake (Unix)

    mkdir build && cd build
cmake ..     # Default to Unix Makefiles.
make
make verify  # (optional)

    See Documentation/Building#Building on Unix using CMake for more information.

    CMake (Windows)

    Install CMake: https://cmake.org/

    md build && cd build
cmake -G "Visual Studio 10" ..   # Or use any generator you want to use. Run cmake --help for a list
cmake --build . --config Release # Or "start libevent.sln" and build with menu in Visual Studio.

    See Documentation/Building#Building on Windows for more information.

    Package Managers

    You can download and install libevent using the vcpkg dependency manager:

    git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
./bootstrap-vcpkg.sh
./vcpkg integrate install
./vcpkg install libevent

    The libevent port in vcpkg is kept up to date by Microsoft team members and community contributors. If the version is out of date, please create an issue or pull request on the vcpkg repository.

    Autoconf

    Note, since 2.2 it is deprecated

    ./configure
make
make verify   # (optional)
sudo make install

    See Documentation/Building#Autoconf for more information.

    2. USEFUL LINKS:

    For the latest released version of Libevent, see the official website at https://libevent.org/ .

    There’s a pretty good work-in-progress manual up at http://www.wangafu.net/~nickm/libevent-book/ .

    For the latest development versions of Libevent, access our Git repository via

    $ git clone https://github.com/libevent/libevent.git

    You can browse the git repository online at:

    https://github.com/libevent/libevent

    To report bugs, issues, or ask for new features:

    Patches: https://github.com/libevent/libevent/pulls

    OK, those are not really patches. You fork, modify, and hit the “Create Pull Request” button. You can still submit normal git patches via the mailing list.

    Bugs, Features [RFC], and Issues: https://github.com/libevent/libevent/issues

    Or you can do it via the mailing list.

    There’s also a libevent-users mailing list for talking about Libevent use and development:

    https://archives.seul.org/libevent/users/

    3. ACKNOWLEDGMENTS

    The following people have helped with suggestions, ideas, code or fixing bugs.

kmx.io     mail     discord kmxgit v0.4.0