From f97bb3898e4d5eef036c382a0c37dcd75c914318 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 9 Apr 2026 18:35:49 +0000 Subject: [PATCH] At the end of parsing the http response header do some sanity checks to ensure that the response includes all needed data. Right now only the presence of a Location header is checked if a HTTP redirect was returned (e.g. a 301 status). Different fix for a report from Daniel Anderson OK tb@ --- usr.sbin/rpki-client/http.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/http.c b/usr.sbin/rpki-client/http.c index a6d69591900..4f0e7785a62 100644 --- a/usr.sbin/rpki-client/http.c +++ b/usr.sbin/rpki-client/http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: http.c,v 1.101 2026/03/27 08:10:46 job Exp $ */ +/* $OpenBSD: http.c,v 1.102 2026/04/09 18:35:49 claudio Exp $ */ /* * Copyright (c) 2020 Nils Fisher * Copyright (c) 2020 Claudio Jeker @@ -1381,9 +1381,14 @@ http_parse_header(struct http_connection *conn, char *buf) cp = buf; /* empty line, end of header */ - if (*cp == '\0') + if (*cp == '\0') { + /* check consistency of header fields */ + if (http_isredirect(conn) && conn->redir_uri == NULL) { + warnx("%s: redirect with no location", conn->req->uri); + return -1; + } return 0; - else if (strncasecmp(cp, CONTENTLEN, sizeof(CONTENTLEN) - 1) == 0) { + } else if (strncasecmp(cp, CONTENTLEN, sizeof(CONTENTLEN) - 1) == 0) { cp += sizeof(CONTENTLEN) - 1; cp += strspn(cp, " \t"); conn->iosz = strtonum(cp, 0, MAX_CONTENTLEN, &errstr);