From f16d5d80e4588e3189e9bd077d76f4726dd480e4 Mon Sep 17 00:00:00 2001
From: gregw <gregw@webtide.com>
Date: Thu, 24 Oct 2024 16:31:47 +1100
Subject: [PATCH] HttpParser detects more bad status #11749

Fix #11749 by detecting more bad status codes
---
 .../java/org/eclipse/jetty/http/HttpParser.java  |  8 +++++---
 .../org/eclipse/jetty/http/HttpParserTest.java   | 16 ++++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
index e1b037cda648..5fd79f50a452 100644
--- a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
+++ b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
@@ -827,8 +827,8 @@ else if (Violation.CASE_INSENSITIVE_METHOD.isAllowedBy(_complianceMode))
                         case COLON:
                             if (!_requestParser)
                             {
-                                if (t.getType() != HttpTokens.Type.DIGIT)
-                                    throw new IllegalCharacterException(_state, t, buffer);
+                                if (t.getType() != HttpTokens.Type.DIGIT || t.getByte() == '0')
+                                    throw new BadMessageException("Bad status");
                                 setState(State.STATUS);
                                 setResponseStatus(t.getByte() - '0');
                             }
@@ -874,6 +874,8 @@ else if (Violation.CASE_INSENSITIVE_METHOD.isAllowedBy(_complianceMode))
                     switch (t.getType())
                     {
                         case SPACE:
+                            if (_responseStatus < 100)
+                                throw new BadMessageException("Bad status");
                             setState(State.SPACE2);
                             break;
 
@@ -890,7 +892,7 @@ else if (Violation.CASE_INSENSITIVE_METHOD.isAllowedBy(_complianceMode))
                             break;
 
                         default:
-                            throw new IllegalCharacterException(_state, t, buffer);
+                            throw new BadMessageException("Bad status");
                     }
                     break;
 
diff --git a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
index 603c314d7684..c53613d6cfe2 100644
--- a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
+++ b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
@@ -1715,6 +1715,22 @@ public void testResponse101WithTransferEncoding(String eoln)
         assertTrue(_messageCompleted);
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {"xxx", "0", "00", "50", "050", "0200", "1000", "2xx"})
+    public void testBadResponseStatus(String status)
+    {
+        ByteBuffer buffer = BufferUtil.toBuffer("""
+                HTTP/1.1 %s %s\r
+                Content-Length:0\r
+                \r
+                """.formatted(status, status), StandardCharsets.ISO_8859_1);
+
+        HttpParser.ResponseHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler);
+        parser.parseNext(buffer);
+        assertThat(_bad, is("Bad status"));
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {"\r\n", "\n"})
     public void testResponseReasonIso88591(String eoln)