XrdHttpHeaderUtils Class Reference

#include <XrdHttpHeaderUtils.hh>

Collaboration diagram for XrdHttpHeaderUtils:

Static Public Member Functions
static ssize_t	parseContentLength (const std::string &value)
static void	parseReprDigest (const std::string &value, std::map< std::string, std::string > &output)
static int	parseTransferEncoding (const std::string &value)
static void	parseWantReprDigest (const std::string &value, std::map< std::string, uint8_t > &output)

Detailed Description

Definition at line 31 of file XrdHttpHeaderUtils.hh.

Member Function Documentation

parseContentLength()

ssize_t XrdHttpHeaderUtils::parseContentLength ( const std::string & value )

static

Parses the value of a 'Content-Length' HTTP header.

The HTTP spec says Content-Length must be one or more decimal digits with no sign character and no whitespace inside the number. Anything else is malformed and must be rejected with HTTP 400, because if we trust a garbage Content-Length we may disagree with a proxy in front of us on where the request body ends — which is the basis of HTTP request smuggling attacks.

Trailing whitespace and CRLF in the value are tolerated (parseLine forwards the raw header line including the closing \r
).

Reference: RFC 9112 §6.2 (Content-Length syntax) and RFC 7230 §3.3.3 rule 4 (rejection of invalid values).

Parameters

value

the raw value of the Content-Length header

Returns

the parsed non-negative integer on success, or a distinct negative code on error: -1 the value is empty (after trimming trailing CRLF / OWS), -2 the value contains a non-digit character (sign, garbage, embedded whitespace), -3 the value is numerically too large for an ssize_t.

Definition at line 110 of file XrdHttpHeaderUtils.cc.

                                                                      {
  std::string_view sv{value};
  // parseLine forwards the trailing CRLF (and any preceding spaces/tabs).
  while (!sv.empty() && (sv.back() == '\r' || sv.back() == '\n' ||
                         sv.back() == ' '  || sv.back() == '\t')) {
    sv.remove_suffix(1);
  }
  if (sv.empty()) {
    return -1;
  }
  // RFC 9112 §6.2: 1*DIGIT only — no sign, no embedded whitespace.
  for (char c : sv) {
    if (c < '0' || c > '9') {
      return -2;
    }
  }
  std::string nullTerm{sv};
  errno = 0;
  long long parsed = std::strtoll(nullTerm.c_str(), nullptr, 10);
  if (errno == ERANGE ||
      parsed > static_cast<long long>(std::numeric_limits<ssize_t>::max())) {
    return -3;
  }
  return static_cast<ssize_t>(parsed);
}

Referenced by XrdHttpReq::parseLine().

Here is the caller graph for this function:

parseReprDigest()

void XrdHttpHeaderUtils::parseReprDigest ( const std::string & value, std::map< std::string, std::string > & output )

static

Parses the 'Repr-Digest' header value received from the client Syntax: "Repr-Digest: adler=:base64EncodedValue:, crc32=:base64EncodedValue:

Parameters

value	contains the value of the header Repr-Digest
output	the map containing the digests and their associated base64 encoded values

Definition at line 35 of file XrdHttpHeaderUtils.cc.

                                                                                                     {
  // Expected format per entry: <cksumType>=:<digestValue>:
  std::vector<std::string> digestNameValuePairs;
  XrdOucTUtils::splitString(digestNameValuePairs, value, ",");
 
  for (const auto &digestNameValue : digestNameValuePairs) {
    std::string_view digestNameValueSV {digestNameValue};
    auto equalPos = digestNameValueSV.find('=');
    if (equalPos == std::string_view::npos || equalPos >= digestNameValueSV.size() - 1)
      continue;
 
    std::string_view cksumTypeSV = digestNameValueSV.substr(0, equalPos);
    XrdOucUtils::trim(cksumTypeSV);
    if (cksumTypeSV.empty())
      continue;
 
    std::string_view cksumValueInSV = digestNameValueSV.substr(equalPos + 1);
    size_t beginCksumPos = cksumValueInSV.find(':');
    size_t endCksumPos = cksumValueInSV.rfind(':');
 
    // Check that the string starts with ':' and contains two distinct colons
    if (beginCksumPos == 0 && endCksumPos > beginCksumPos + 1 && endCksumPos < cksumValueInSV.size()) {
      std::string_view cksumValue = cksumValueInSV.substr(beginCksumPos + 1, endCksumPos - beginCksumPos - 1);
      XrdOucUtils::trim(cksumValue);
      if (!cksumValue.empty()) {
        //What we get as checksum value is a base64-encoded hexadecimal bytes
        //Let's decode that.
        std::string chksumDecoded;
        base64DecodeHex(std::string(cksumValue), chksumDecoded);
        std::string cksumTypeLC {cksumTypeSV};
        std::transform(cksumTypeLC.begin(), cksumTypeLC.end(), cksumTypeLC.begin(), ::tolower);
        output[cksumTypeLC] = chksumDecoded;
      }
    }
    // Malformed entries are silently ignored
  }
}

References base64DecodeHex(), XrdOucTUtils::splitString(), and XrdOucUtils::trim().

Referenced by XrdHttpReq::parseLine().

Here is the call graph for this function:

Here is the caller graph for this function:

parseTransferEncoding()

int XrdHttpHeaderUtils::parseTransferEncoding ( const std::string & value )

static

Parses the value of a 'Transfer-Encoding' HTTP header.

Transfer-Encoding carries a comma-separated list of body encodings, for example "chunked" or "gzip, chunked". The list is case-insensitive and items can have whitespace around them.

The only encoding this server speaks is "chunked". HTTP requires that whenever "chunked" appears it must be the LAST item in the list (because that is the one that determines how the body is framed on the wire).

This function checks two things together: that "chunked" is actually present (matched case-insensitively as a whole token, not as a substring like the old code did), and that it is the last item.

Trailing CRLF on the last item is tolerated.

Reference: RFC 9112 §6.1 (Transfer-Encoding syntax and the "chunked-must-be-last" rule) and RFC 7230 §3.3.1 (same rule).

Parameters

value

the raw value of the Transfer-Encoding header

Returns

0 on success (the list ends in "chunked"), or a distinct negative code on error: -1 the value is empty (no tokens after splitting/trimming), -2 there is no "chunked" token in the list at all, -3 "chunked" appears but is not the final token.

Definition at line 136 of file XrdHttpHeaderUtils.cc.

                                                                     {
  std::vector<std::string> tokens;
  XrdOucTUtils::splitString(tokens, value, ",");
 
  bool chunked_seen = false;
  bool last_was_chunked = false;
  bool any_token = false;
 
  for (auto & tok : tokens) {
    std::string_view sv{tok};
    XrdOucUtils::trim(sv);
    if (sv.empty()) continue;
 
    // RFC 9112 §6.1: transfer-coding names are case-insensitive. Whole-token
    // match (not strstr) so "chunkedX" or "x-chunked" no longer falsely hit.
    std::string tlow{sv};
    std::transform(tlow.begin(), tlow.end(), tlow.begin(), ::tolower);
    any_token = true;
    if (tlow == "chunked") {
      chunked_seen = true;
      last_was_chunked = true;
    } else {
      last_was_chunked = false;
    }
  }
 
  if (!any_token)        return -1;
  if (!chunked_seen)     return -2;
  if (!last_was_chunked) return -3;
  return 0;
}

References XrdOucTUtils::splitString(), and XrdOucUtils::trim().

Referenced by XrdHttpReq::parseLine().

Here is the call graph for this function:

Here is the caller graph for this function:

parseWantReprDigest()

void XrdHttpHeaderUtils::parseWantReprDigest ( const std::string & value, std::map< std::string, uint8_t > & output )

static

Parses 'Want-Repr-Digest' header value received from the client Syntax: "Want-Repr-Digest: adler=1, crc32=2, sha-256=9 The values are integers representing the preference, comprised between 0 and 9.

Parameters

value	contains the value of the header Want-Repr-Digest
output	the map containing the lower-cased digest name and the associated preference

Definition at line 73 of file XrdHttpHeaderUtils.cc.

                                                                                                        {
  size_t pos = 0;
  std::string_view value_sv {value};
  while(pos <= value_sv.size()) {
    // find comma
    size_t comma = value.find(',',pos);
    // extract item, no comma means the item is the full string
    std::string_view item = (comma == std::string_view::npos) ? value_sv.substr(pos) : value_sv.substr(pos, comma - pos);
    // move current cursor to 'comma + 1' or after the string end
    pos = (comma == std::string_view::npos) ? value.size() + 1 : comma + 1;
    // trim the item
    XrdOucUtils::trim(item);
    if(item.empty()) continue;
 
    size_t eq = item.find('=');
    // If no '=' sign, we discard this entry as it is malformed
    if(eq == std::string_view::npos) continue;
    // We found the equal sign on the item
    std::string_view digestName {item.substr(0, eq)};
    XrdOucUtils::trim(digestName);
    std::string_view preference {item.substr(eq+1)};
    XrdOucUtils::trim(preference);
 
    std::string key_lower {digestName};
    std::transform(key_lower.begin(),key_lower.end(),key_lower.begin(),::tolower);
 
    try {
      uint8_t preference_us = XrdOucUtils::touint8_t(preference);
      // Max allowed value for Repr-Digest is 10
      preference_us = std::min(preference_us,(uint8_t)10);
      output[key_lower] = preference_us;
    } catch (...) {
      // discard invalid values
    }
  }
}

References XrdOucUtils::touint8_t(), and XrdOucUtils::trim().

Referenced by XrdHttpReq::parseLine().

Here is the call graph for this function:

Here is the caller graph for this function:

---

The documentation for this class was generated from the following files:

• XrdHttpHeaderUtils.hh
• XrdHttpHeaderUtils.cc