diff options
| author |  Kirill Danshin <kirill@danshin.pro>
| 2020-12-09 18:59:57 +0300 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2020-12-09 16:59:57 +0100 |
| commit | d0dfbd4494632e4bf398d1c0098e4c389a1c4356 (patch) | |
| tree | 17b6136346c865c5c312466f8913823a23245e12 /http_test.go | |
| parent | (header) do case insensitive lookup of cookie header value (#925) (diff) | |
| download | fasthttp-d0dfbd4494632e4bf398d1c0098e4c389a1c4356.tar.gz fasthttp-d0dfbd4494632e4bf398d1c0098e4c389a1c4356.tar.bz2 fasthttp-d0dfbd4494632e4bf398d1c0098e4c389a1c4356.zip | |
* 🐞 panic in fs.go #824
* fix issue #875
Signed-off-by: Kirill Danshin <kirill@danshin.pro>
* improve issue 875
Co-authored-by: Fenny <fenny@gofiber.io>
* Update header.go
* Update header.go
Co-authored-by: Kirill Danshin <kirill@danshin.pro>
* remove foldReplacer
* Improve removeNewLines
Start replacing at the first character found, use bytes.Indexbyte to
make the function signature more logical. Both bytes.indexByte and
strings.IndexByte use exactly the same code:
https://github.com/golang/go/blob/0c703b37dffe74d3fffc04347884bb0ee2fba5b3/src/internal/bytealg/indexbyte_amd64.s#L8-L20
Co-authored-by: wernerr <rene.werner@verivox.com>
Co-authored-by: wernerr <rene@gofiber.io>
Co-authored-by: Fenny <fenny@gofiber.io>
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
Diffstat (limited to 'http_test.go')
| -rw-r--r-- | http_test.go | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/http_test.go b/http_test.go index c67f520..2f91e34 100644 --- a/http_test.go +++ b/http_test.go @@ -8,6 +8,7 @@ import ( "io/ioutil" "mime/multipart" "reflect" + "strconv" "strings" "testing" "time" @@ -30,6 +31,53 @@ func TestFragmentInURIRequest(t *testing.T) { } } +func TestIssue875(t *testing.T) { + type testcase struct { + uri string + expectedRedirect string + expectedLocation string + } + + var testcases = []testcase{ + { + uri: `http://localhost:3000/?redirect=foo%0d%0aSet-Cookie:%20SESSIONID=MaliciousValue%0d%0a`, + expectedRedirect: "foo\r\nSet-Cookie: SESSIONID=MaliciousValue\r\n", + expectedLocation: "Location: foo Set-Cookie: SESSIONID=MaliciousValue", + }, + { + uri: `http://localhost:3000/?redirect=foo%0dSet-Cookie:%20SESSIONID=MaliciousValue%0d%0a`, + expectedRedirect: "foo\rSet-Cookie: SESSIONID=MaliciousValue\r\n", + expectedLocation: "Location: foo Set-Cookie: SESSIONID=MaliciousValue", + }, + { + uri: `http://localhost:3000/?redirect=foo%0aSet-Cookie:%20SESSIONID=MaliciousValue%0d%0a`, + expectedRedirect: "foo\nSet-Cookie: SESSIONID=MaliciousValue\r\n", + expectedLocation: "Location: foo Set-Cookie: SESSIONID=MaliciousValue", + }, + } + + for i, tcase := range testcases { + caseName := strconv.FormatInt(int64(i), 10) + t.Run(caseName, func(subT *testing.T) { + ctx := &RequestCtx{ + Request: Request{}, + Response: Response{}, + } + ctx.Request.SetRequestURI(tcase.uri) + + q := string(ctx.QueryArgs().Peek("redirect")) + if q != tcase.expectedRedirect { + subT.Errorf("unexpected redirect query value, got: %+v", q) + } + ctx.Response.Header.Set("Location", q) + + if !strings.Contains(ctx.Response.String(), tcase.expectedLocation) { + subT.Errorf("invalid escaping, got\n%s", ctx.Response.String()) + } + }) + } +} + func TestRequestCopyTo(t *testing.T) { t.Parallel() |