Project

General

Profile

Bug #2881

http.protocol parsing inaccuracy

Added by chris lujan 2 months ago. Updated about 2 months ago.

Status:
Assigned
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

Request:

GET /uid=0(root) gid=0(root) groups=0(root)asdf HTTP/1.1
User-Agent: curl/7.29.0
Accept: */*

eve.json output:
"http":{"protocol":"gid=0(root) groups=0(root)asdf HTTP\/1.1"}

It appears that the http.protocol is matching too greedily with the space character and could use something like /\S+$/m instead.

History

#1

Updated by chris lujan 2 months ago

Conversely, the http.url field is only matching up until the first space resulting in something like:

"http":{"url":"/uid=0(root)"}

which leads me to believe those fields are created by splitting the line by spaces.

#2

Updated by Victor Julien 2 months ago

  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version set to TBD
#3

Updated by Victor Julien 2 months ago

I think uri's are not supposed to have spaces, but I think it would be good to address this anyway.

#4

Updated by Philippe Antoine about 2 months ago

Thanks Chris.
Indeed, Uris are not supposed to have spaces, but the protocol field is even less supposed to have spaces.
So I think we can take the last space in the request line as the uri end, instead of the second one.

Also available in: Atom PDF