Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom characters set for URI and HTTP headers #628

Closed
krizhanovsky opened this issue Oct 31, 2016 · 1 comment
Closed

Custom characters set for URI and HTTP headers #628

krizhanovsky opened this issue Oct 31, 2016 · 1 comment
Assignees
@krizhanovsky
Labels
enhancement security
Milestone
0.6 Tempesta TLS

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Oct 31, 2016
edited
Loading

str_simd.c uses number of ASCII characters table to match URI and HTTP header fields. The tables should be made customizable by a user. I.e. user should be able to describe which character sets they allow for particular HTTP message field and Tempesta FW and startup compiles the sets to the tables and use them for the SIMD processing. The filtering is very useful to prevent some types of Web attacks, e.g. SQL Injections.

Must be added separate alphabet for POST arguemnts, so XSS and HTTP parameter fragmentation attacks can be prevented by excluding < and/or * from the alphabet.

The validator is very close to ModSecurity's validateByteRange.

Please update https://github.com/tempesta-tech/tempesta/wiki/Web-security and create an issue for a functional test.
@krizhanovsky krizhanovsky added this to the 0.6 OS milestone Oct 31, 2016
@krizhanovsky krizhanovsky modified the milestones: backlog, 0.6 KTLS Jan 9, 2018
@krizhanovsky krizhanovsky mentioned this issue Feb 4, 2018
Open
@krizhanovsky krizhanovsky mentioned this issue Feb 18, 2018
Merged
@krizhanovsky krizhanovsky mentioned this issue Mar 10, 2018
Closed
@krizhanovsky
Copy link
Contributor Author

For now we do not parse POST body and just skip it, so #902 must use alphabet checking implemented in the issue to really verify POST body.

@krizhanovsky krizhanovsky mentioned this issue Apr 4, 2018
Open
krizhanovsky added a commit to tempesta-tech/blog that referenced this issue Apr 9, 2018
@krizhanovsky
Match custom alphabets, see tempesta-tech/tempesta#628
0fddf42
krizhanovsky added a commit that referenced this issue Apr 11, 2018
@krizhanovsky
Fix #628. See PoC and benchmarks at tempesta-tech/blog@0fddf42
b55f3ec
@krizhanovsky krizhanovsky mentioned this issue Apr 11, 2018
Closed
3 tasks
krizhanovsky added a commit that referenced this issue Apr 15, 2018
@krizhanovsky
Merge pull request #1005 from tempesta-tech/ak-628
92cd1d6 
Fix #628: Custom characters set for URI and HTTP headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krizhanovsky krizhanovsky

Labels
enhancement security
Projects
None yet
Milestone
0.6 Tempesta TLS
Development

No branches or pull requests
2 participants
@krizhanovsky @aleksostapenko