Mercurial > hg > orthanc

changeset 3119:8f2bda0719f4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix issue #125 (Mongoose: /instances/{id} returns 500 on invalid HTTP Method)
author Sebastien Jodogne <s.jodogne@gmail.com>
date Mon, 14 Jan 2019 13:11:43 +0100
parents 8849677c2cbc
children a323b75e5b08 df4f977c2f88
files NEWS Resources/Patches/mongoose-3.8-patch.diff
diffstat 2 files changed, 80 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Sun Jan 13 20:16:43 2019 +0100
+++ b/NEWS	Mon Jan 14 13:11:43 2019 +0100
@@ -9,6 +9,7 @@
 * Fix issue #21 (DICOM files missing after uploading with Firefox)
 * Fix issue #118 (Wording in Configuration.json regarding SynchronousCMove)
 * Fix issue #124 (GET /studies/ID/media fails for certain dicom file)
+* Fix issue #125 (Mongoose: /instances/{id} returns 500 on invalid HTTP Method)
 * Fixed Orthanc Explorer on IE and Firefox: Explorer always show "too many results"
   and it's therefore impossible to browse the content.
 * Upgraded dependencies for static and Windows builds:
--- a/Resources/Patches/mongoose-3.8-patch.diff	Sun Jan 13 20:16:43 2019 +0100
+++ b/Resources/Patches/mongoose-3.8-patch.diff	Mon Jan 14 13:11:43 2019 +0100
@@ -1,5 +1,5 @@
---- mongoose.c.orig	2014-09-01 11:25:18.223466994 +0200
-+++ mongoose.c	2014-09-01 11:30:21.807479338 +0200
+--- mongoose.c.orig	2019-01-14 13:06:27.147098524 +0100
++++ mongoose.c	2019-01-14 12:44:35.331361929 +0100
 @@ -50,6 +50,14 @@
  #define PATH_MAX FILENAME_MAX
  #endif // __SYMBIAN32__
@@ -27,3 +27,80 @@
  #endif // _MSC_VER
  
  #define ERRNO   GetLastError()
+@@ -2997,19 +3006,19 @@
+   }
+ }
+ 
+-static int is_valid_http_method(const char *method) {
+-  return !strcmp(method, "GET") || !strcmp(method, "POST") ||
++static int is_valid_http_method(const char *method, int *isValidHttpMethod) {
++  *isValidHttpMethod = !strcmp(method, "GET") || !strcmp(method, "POST") ||
+     !strcmp(method, "HEAD") || !strcmp(method, "CONNECT") ||
+     !strcmp(method, "PUT") || !strcmp(method, "DELETE") ||
+     !strcmp(method, "OPTIONS") || !strcmp(method, "PROPFIND")
+-    || !strcmp(method, "MKCOL")
+-          ;
++    || !strcmp(method, "MKCOL");
++  return *isValidHttpMethod;
+ }
+ 
+ // Parse HTTP request, fill in mg_request_info structure.
+ // This function modifies the buffer by NUL-terminating
+ // HTTP request components, header names and header values.
+-static int parse_http_message(char *buf, int len, struct mg_request_info *ri) {
++static int parse_http_message(char *buf, int len, struct mg_request_info *ri, int *isValidHttpMethod) {
+   int is_request, request_length = get_request_len(buf, len);
+   if (request_length > 0) {
+     // Reset attributes. DO NOT TOUCH is_ssl, remote_ip, remote_port
+@@ -3025,7 +3034,7 @@
+     ri->request_method = skip(&buf, " ");
+     ri->uri = skip(&buf, " ");
+     ri->http_version = skip(&buf, "\r\n");
+-    if (((is_request = is_valid_http_method(ri->request_method)) &&
++    if (((is_request = is_valid_http_method(ri->request_method, isValidHttpMethod)) &&
+          memcmp(ri->http_version, "HTTP/", 5) != 0) ||
+         (!is_request && memcmp(ri->request_method, "HTTP/", 5)) != 0) {
+       request_length = -1;
+@@ -4930,7 +4939,7 @@
+   return uri[0] == '/' || (uri[0] == '*' && uri[1] == '\0');
+ }
+ 
+-static int getreq(struct mg_connection *conn, char *ebuf, size_t ebuf_len) {
++static int getreq(struct mg_connection *conn, char *ebuf, size_t ebuf_len, int *isValidHttpMethod) {
+   const char *cl;
+ 
+   ebuf[0] = '\0';
+@@ -4944,7 +4953,7 @@
+   } else if (conn->request_len <= 0) {
+     snprintf(ebuf, ebuf_len, "%s", "Client closed connection");
+   } else if (parse_http_message(conn->buf, conn->buf_size,
+-                                &conn->request_info) <= 0) {
++                                &conn->request_info, isValidHttpMethod) <= 0) {
+     snprintf(ebuf, ebuf_len, "Bad request: [%.*s]", conn->data_len, conn->buf);
+   } else {
+     // Request is valid
+@@ -4973,7 +4982,8 @@
+   } else if (mg_vprintf(conn, fmt, ap) <= 0) {
+     snprintf(ebuf, ebuf_len, "%s", "Error sending request");
+   } else {
+-    getreq(conn, ebuf, ebuf_len);
++    int isValidHttpMethod = 1; /* unused in this case */
++    getreq(conn, ebuf, ebuf_len, &isValidHttpMethod);
+   }
+   if (ebuf[0] != '\0' && conn != NULL) {
+     mg_close_connection(conn);
+@@ -4995,8 +5005,13 @@
+   // to crule42.
+   conn->data_len = 0;
+   do {
+-    if (!getreq(conn, ebuf, sizeof(ebuf))) {
++    int isValidHttpMethod = 1;
++    if (!getreq(conn, ebuf, sizeof(ebuf), &isValidHttpMethod)) {
++      if (isValidHttpMethod) {
+       send_http_error(conn, 500, "Server Error", "%s", ebuf);
++      } else {
++        send_http_error(conn, 400, "Bad Request", "%s", ebuf);
++      }
+       conn->must_close = 1;
+     } else if (!is_valid_uri(conn->request_info.uri)) {
+       snprintf(ebuf, sizeof(ebuf), "Invalid URI: [%s]", ri->uri);