Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug when space in url #4974

Closed
mazhan465 opened this issue Aug 23, 2017 · 3 comments · Fixed by #5495
Closed

bug when space in url #4974

mazhan465 opened this issue Aug 23, 2017 · 3 comments · Fixed by #5495
Assignees
@ph
Labels
bug Packetbeat

Comments

@mazhan465
Copy link

When I get a request with space in url like this:
"http://a.example.com/index?id=1 asd"
The packetbeat can't work normally.
This is a Bug When parse http protocol.
@while-loop
Copy link

I'm not sure if this is actually a bug. Currently the code parses the request-line by whitespace which is the correct way to do it (as described in the HTTP RFC 7230 section 3.1.1).

In the code, if it is unable to parse the request-line, then it stops parsing the request.

This may be a bug in the client you are using that is sending the HTTP request and not correctly encoding the URL.

Recipients typically parse the request-line into its component parts
by splitting on whitespace (see Section 3.5), since no whitespace is
allowed in the three components. Unfortunately, some user agents
fail to properly encode or exclude whitespace found in hypertext
references, resulting in those disallowed characters being sent in a
request-target.

... A recipient SHOULD NOT attempt
to autocorrect and then process the request without a redirect, since
the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.

Cheers!

@mazhan465
Copy link
Author

The packetbeat is used to monitoring flow .When a hacker attemp to attack us using a deformed payload which maybe inculde a space.And in this case,packetbeat will dorp the packet ,so the hacker will Bypass monitoring。

@ph ph self-assigned this Oct 12, 2017
@ph
Copy link
Contributor

ph commented Oct 12, 2017

Fixing the code to parse the URI with space doesn't look too complicated, what worries me is how the parameters parsing will behave in this case since we don't have the space url encoded.

@ph ph mentioned this issue Nov 1, 2017
Merged
ph added a commit to ph/beats that referenced this issue Nov 9, 2017
@ph
Add support for space in get request
af9f703 
This fix an issue when the http request contains a space instead of
breaking the line with `bytes.fields` we are finding the start and the end
of the URI using the `METHOD` verb and the `HTTP/{VERSION}`. This will
allow packet beat to record theses request instead of ignoring them.

Fixes: elastic#4974
@urso urso closed this as completed in #5495 Nov 9, 2017
urso pushed a commit that referenced this issue Nov 9, 2017
@ph
Add support for space in get request (#5495)
16dffd3 
This fix an issue when the http request contains a space instead of
breaking the line with `bytes.fields` we are finding the start and the end
of the URI using the `METHOD` verb and the `HTTP/{VERSION}`. This will
allow packet beat to record theses request instead of ignoring them.

Fixes: #4974
adriansr pushed a commit to adriansr/beats that referenced this issue Apr 6, 2018
@ph @adriansr
Add support for space in get request (elastic#5495)
6c2070c 
This fix an issue when the http request contains a space instead of
breaking the line with `bytes.fields` we are finding the start and the end
of the URI using the `METHOD` verb and the `HTTP/{VERSION}`. This will
allow packet beat to record theses request instead of ignoring them.

Fixes: elastic#4974
andrewkroh pushed a commit that referenced this issue Apr 6, 2018
@ph @andrewkroh
Add support for space in get request (#5495)
e50216a 
This fix an issue when the http request contains a space instead of
breaking the line with `bytes.fields` we are finding the start and the end
of the URI using the `METHOD` verb and the `HTTP/{VERSION}`. This will
allow packet beat to record theses request instead of ignoring them.

Fixes: #4974
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ph ph

Labels
bug Packetbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for space in get request ph/beats
4 participants
@ph @tsg @while-loop @mazhan465