xref: /PHP-8.0/sapi/cli/php_http_parser.c (revision d1ccb5bd)
1 /* Copyright 2009,2010 Ryan Dahl <ry@tinyclouds.org>
2  *
3  * Permission is hereby granted, free of charge, to any person obtaining a copy
4  * of this software and associated documentation files (the "Software"), to
5  * deal in the Software without restriction, including without limitation the
6  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
7  * sell copies of the Software, and to permit persons to whom the Software is
8  * furnished to do so, subject to the following conditions:
9  *
10  * The above copyright notice and this permission notice shall be included in
11  * all copies or substantial portions of the Software.
12  *
13  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
18  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
19  * IN THE SOFTWARE.
20  */
21 #include <assert.h>
22 #include <stddef.h>
23 #include "php_http_parser.h"
24 
25 
26 #ifndef MIN
27 # define MIN(a,b) ((a) < (b) ? (a) : (b))
28 #endif
29 
30 
31 #define CALLBACK2(FOR)                                               \
32 do {                                                                 \
33   if (settings->on_##FOR) {                                          \
34     if (0 != settings->on_##FOR(parser)) return (p - data);          \
35   }                                                                  \
36 } while (0)
37 
38 
39 #define MARK(FOR)                                                    \
40 do {                                                                 \
41   FOR##_mark = p;                                                    \
42 } while (0)
43 
44 #define CALLBACK_NOCLEAR(FOR)                                        \
45 do {                                                                 \
46   if (FOR##_mark) {                                                  \
47     if (settings->on_##FOR) {                                        \
48       if (0 != settings->on_##FOR(parser,                            \
49                                  FOR##_mark,                         \
50                                  p - FOR##_mark))                    \
51       {                                                              \
52         return (p - data);                                           \
53       }                                                              \
54     }                                                                \
55   }                                                                  \
56 } while (0)
57 
58 #ifdef PHP_WIN32
59 # undef CALLBACK
60 #endif
61 #define CALLBACK(FOR)                                                \
62 do {                                                                 \
63   CALLBACK_NOCLEAR(FOR);                                             \
64   FOR##_mark = NULL;                                                 \
65 } while (0)
66 
67 
68 #define PROXY_CONNECTION "proxy-connection"
69 #define CONNECTION "connection"
70 #define CONTENT_LENGTH "content-length"
71 #define TRANSFER_ENCODING "transfer-encoding"
72 #define UPGRADE "upgrade"
73 #define CHUNKED "chunked"
74 #define KEEP_ALIVE "keep-alive"
75 #define CLOSE "close"
76 
77 
78 static const char *method_strings[] =
79   { "DELETE"
80   , "GET"
81   , "HEAD"
82   , "POST"
83   , "PUT"
84   , "PATCH"
85   , "CONNECT"
86   , "OPTIONS"
87   , "TRACE"
88   , "COPY"
89   , "LOCK"
90   , "MKCOL"
91   , "MOVE"
92   , "MKCALENDAR"
93   , "PROPFIND"
94   , "PROPPATCH"
95   , "SEARCH"
96   , "UNLOCK"
97   , "REPORT"
98   , "MKACTIVITY"
99   , "CHECKOUT"
100   , "MERGE"
101   , "M-SEARCH"
102   , "NOTIFY"
103   , "SUBSCRIBE"
104   , "UNSUBSCRIBE"
105   , "NOTIMPLEMENTED"
106   };
107 
108 
109 /* Tokens as defined by rfc 2616. Also lowercases them.
110  *        token       = 1*<any CHAR except CTLs or separators>
111  *     separators     = "(" | ")" | "<" | ">" | "@"
112  *                    | "," | ";" | ":" | "\" | <">
113  *                    | "/" | "[" | "]" | "?" | "="
114  *                    | "{" | "}" | SP | HT
115  */
116 static const char tokens[256] = {
117 /*   0 nul    1 soh    2 stx    3 etx    4 eot    5 enq    6 ack    7 bel  */
118         0,       0,       0,       0,       0,       0,       0,       0,
119 /*   8 bs     9 ht    10 nl    11 vt    12 np    13 cr    14 so    15 si   */
120         0,       0,       0,       0,       0,       0,       0,       0,
121 /*  16 dle   17 dc1   18 dc2   19 dc3   20 dc4   21 nak   22 syn   23 etb */
122         0,       0,       0,       0,       0,       0,       0,       0,
123 /*  24 can   25 em    26 sub   27 esc   28 fs    29 gs    30 rs    31 us  */
124         0,       0,       0,       0,       0,       0,       0,       0,
125 /*  32 sp    33  !    34  "    35  #    36  $    37  %    38  &    39  '  */
126        ' ',      '!',     '"',     '#',     '$',     '%',     '&',    '\'',
127 /*  40  (    41  )    42  *    43  +    44  ,    45  -    46  .    47  /  */
128         0,       0,      '*',     '+',      0,      '-',     '.',     '/',
129 /*  48  0    49  1    50  2    51  3    52  4    53  5    54  6    55  7  */
130        '0',     '1',     '2',     '3',     '4',     '5',     '6',     '7',
131 /*  56  8    57  9    58  :    59  ;    60  <    61  =    62  >    63  ?  */
132        '8',     '9',      0,       0,       0,       0,       0,       0,
133 /*  64  @    65  A    66  B    67  C    68  D    69  E    70  F    71  G  */
134         0,      'a',     'b',     'c',     'd',     'e',     'f',     'g',
135 /*  72  H    73  I    74  J    75  K    76  L    77  M    78  N    79  O  */
136        'h',     'i',     'j',     'k',     'l',     'm',     'n',     'o',
137 /*  80  P    81  Q    82  R    83  S    84  T    85  U    86  V    87  W  */
138        'p',     'q',     'r',     's',     't',     'u',     'v',     'w',
139 /*  88  X    89  Y    90  Z    91  [    92  \    93  ]    94  ^    95  _  */
140        'x',     'y',     'z',      0,       0,       0,      '^',     '_',
141 /*  96  `    97  a    98  b    99  c   100  d   101  e   102  f   103  g  */
142        '`',     'a',     'b',     'c',     'd',     'e',     'f',     'g',
143 /* 104  h   105  i   106  j   107  k   108  l   109  m   110  n   111  o  */
144        'h',     'i',     'j',     'k',     'l',     'm',     'n',     'o',
145 /* 112  p   113  q   114  r   115  s   116  t   117  u   118  v   119  w  */
146        'p',     'q',     'r',     's',     't',     'u',     'v',     'w',
147 /* 120  x   121  y   122  z   123  {   124  |   125  }   126  ~   127 del */
148        'x',     'y',     'z',      0,      '|',     '}',     '~',       0 };
149 
150 
151 static const int8_t unhex[256] =
152   {-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
153   ,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
154   ,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
155   , 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,-1,-1,-1,-1,-1,-1
156   ,-1,10,11,12,13,14,15,-1,-1,-1,-1,-1,-1,-1,-1,-1
157   ,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
158   ,-1,10,11,12,13,14,15,-1,-1,-1,-1,-1,-1,-1,-1,-1
159   ,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
160   };
161 
162 
163 static const uint8_t normal_url_char[256] = {
164 /*   0 nul    1 soh    2 stx    3 etx    4 eot    5 enq    6 ack    7 bel  */
165         0,       0,       0,       0,       0,       0,       0,       0,
166 /*   8 bs     9 ht    10 nl    11 vt    12 np    13 cr    14 so    15 si   */
167         0,       0,       0,       0,       0,       0,       0,       0,
168 /*  16 dle   17 dc1   18 dc2   19 dc3   20 dc4   21 nak   22 syn   23 etb */
169         0,       0,       0,       0,       0,       0,       0,       0,
170 /*  24 can   25 em    26 sub   27 esc   28 fs    29 gs    30 rs    31 us  */
171         0,       0,       0,       0,       0,       0,       0,       0,
172 /*  32 sp    33  !    34  "    35  #    36  $    37  %    38  &    39  '  */
173         0,       1,       1,       0,       1,       1,       1,       1,
174 /*  40  (    41  )    42  *    43  +    44  ,    45  -    46  .    47  /  */
175         1,       1,       1,       1,       1,       1,       1,       1,
176 /*  48  0    49  1    50  2    51  3    52  4    53  5    54  6    55  7  */
177         1,       1,       1,       1,       1,       1,       1,       1,
178 /*  56  8    57  9    58  :    59  ;    60  <    61  =    62  >    63  ?  */
179         1,       1,       1,       1,       1,       1,       1,       0,
180 /*  64  @    65  A    66  B    67  C    68  D    69  E    70  F    71  G  */
181         1,       1,       1,       1,       1,       1,       1,       1,
182 /*  72  H    73  I    74  J    75  K    76  L    77  M    78  N    79  O  */
183         1,       1,       1,       1,       1,       1,       1,       1,
184 /*  80  P    81  Q    82  R    83  S    84  T    85  U    86  V    87  W  */
185         1,       1,       1,       1,       1,       1,       1,       1,
186 /*  88  X    89  Y    90  Z    91  [    92  \    93  ]    94  ^    95  _  */
187         1,       1,       1,       1,       1,       1,       1,       1,
188 /*  96  `    97  a    98  b    99  c   100  d   101  e   102  f   103  g  */
189         1,       1,       1,       1,       1,       1,       1,       1,
190 /* 104  h   105  i   106  j   107  k   108  l   109  m   110  n   111  o  */
191         1,       1,       1,       1,       1,       1,       1,       1,
192 /* 112  p   113  q   114  r   115  s   116  t   117  u   118  v   119  w  */
193         1,       1,       1,       1,       1,       1,       1,       1,
194 /* 120  x   121  y   122  z   123  {   124  |   125  }   126  ~   127 del */
195         1,       1,       1,       1,       1,       1,       1,       0 };
196 
197 
198 #define PARSING_HEADER(state) (state <= s_headers_almost_done && 0 == (parser->flags & F_TRAILING))
199 
200 
201 enum header_states
202   { h_general = 0
203   , h_C
204   , h_CO
205   , h_CON
206 
207   , h_matching_connection
208   , h_matching_proxy_connection
209   , h_matching_content_length
210   , h_matching_transfer_encoding
211   , h_matching_upgrade
212 
213   , h_connection
214   , h_content_length
215   , h_transfer_encoding
216   , h_upgrade
217 
218   , h_matching_transfer_encoding_chunked
219   , h_matching_connection_keep_alive
220   , h_matching_connection_close
221 
222   , h_transfer_encoding_chunked
223   , h_connection_keep_alive
224   , h_connection_close
225   };
226 
227 
228 enum flags
229   { F_CHUNKED               = 1 << 0
230   , F_CONNECTION_KEEP_ALIVE = 1 << 1
231   , F_CONNECTION_CLOSE      = 1 << 2
232   , F_TRAILING              = 1 << 3
233   , F_UPGRADE               = 1 << 4
234   , F_SKIPBODY              = 1 << 5
235   };
236 
237 
238 #define CR '\r'
239 #define LF '\n'
240 #define LOWER(c) (unsigned char)(c | 0x20)
241 #define TOKEN(c) tokens[(unsigned char)c]
242 
243 
244 #define start_state (parser->type == PHP_HTTP_REQUEST ? s_start_req : s_start_res)
245 
246 
247 #ifdef HTTP_PARSER_STRICT
248 # define STRICT_CHECK(cond) if (cond) goto error
249 # define NEW_MESSAGE() (http_should_keep_alive(parser) ? start_state : s_dead)
250 #else
251 # define STRICT_CHECK(cond)
252 # define NEW_MESSAGE() start_state
253 #endif
254 
255 
php_http_parser_execute(php_http_parser * parser,const php_http_parser_settings * settings,const char * data,size_t len)256 size_t php_http_parser_execute (php_http_parser *parser,
257                             const php_http_parser_settings *settings,
258                             const char *data,
259                             size_t len)
260 {
261   char ch;
262   signed char c;
263   const char *p = data, *pe;
264   size_t to_read;
265 
266   enum state state = (enum state) parser->state;
267   enum header_states header_state = (enum header_states) parser->header_state;
268   uint32_t index = parser->index;
269   uint32_t nread = parser->nread;
270 
271   /* technically we could combine all of these (except for url_mark) into one
272      variable, saving stack space, but it seems more clear to have them
273      separated. */
274   const char *header_field_mark = 0;
275   const char *header_value_mark = 0;
276   const char *fragment_mark = 0;
277   const char *query_string_mark = 0;
278   const char *path_mark = 0;
279   const char *url_mark = 0;
280 
281   if (len == 0) {
282     if (state == s_body_identity_eof) {
283       CALLBACK2(message_complete);
284     }
285     return 0;
286   }
287 
288   if (state == s_header_field)
289     header_field_mark = data;
290   if (state == s_header_value)
291     header_value_mark = data;
292   if (state == s_req_fragment)
293     fragment_mark = data;
294   if (state == s_req_query_string)
295     query_string_mark = data;
296   if (state == s_req_path)
297     path_mark = data;
298   if (state == s_req_path || state == s_req_schema || state == s_req_schema_slash
299       || state == s_req_schema_slash_slash || state == s_req_port
300       || state == s_req_query_string_start || state == s_req_query_string
301       || state == s_req_host
302       || state == s_req_fragment_start || state == s_req_fragment)
303     url_mark = data;
304 
305   for (p=data, pe=data+len; p != pe; p++) {
306     ch = *p;
307 
308     if (PARSING_HEADER(state)) {
309       ++nread;
310       /* Buffer overflow attack */
311       if (nread > PHP_HTTP_MAX_HEADER_SIZE) goto error;
312     }
313 
314     switch (state) {
315 
316       case s_dead:
317         /* this state is used after a 'Connection: close' message
318          * the parser will error out if it reads another message
319          */
320         goto error;
321 
322       case s_start_req_or_res:
323       {
324         if (ch == CR || ch == LF)
325           break;
326         parser->flags = 0;
327         parser->content_length = -1;
328 
329         CALLBACK2(message_begin);
330 
331         if (ch == 'H')
332           state = s_res_or_resp_H;
333         else {
334           parser->type = PHP_HTTP_REQUEST;
335           goto start_req_method_assign;
336         }
337         break;
338       }
339 
340       case s_res_or_resp_H:
341         if (ch == 'T') {
342           parser->type = PHP_HTTP_RESPONSE;
343           state = s_res_HT;
344         } else {
345           if (ch != 'E') goto error;
346           parser->type = PHP_HTTP_REQUEST;
347           parser->method = PHP_HTTP_HEAD;
348           index = 2;
349           state = s_req_method;
350         }
351         break;
352 
353       case s_start_res:
354       {
355         parser->flags = 0;
356         parser->content_length = -1;
357 
358         CALLBACK2(message_begin);
359 
360         switch (ch) {
361           case 'H':
362             state = s_res_H;
363             break;
364 
365           case CR:
366           case LF:
367             break;
368 
369           default:
370             goto error;
371         }
372         break;
373       }
374 
375       case s_res_H:
376         STRICT_CHECK(ch != 'T');
377         state = s_res_HT;
378         break;
379 
380       case s_res_HT:
381         STRICT_CHECK(ch != 'T');
382         state = s_res_HTT;
383         break;
384 
385       case s_res_HTT:
386         STRICT_CHECK(ch != 'P');
387         state = s_res_HTTP;
388         break;
389 
390       case s_res_HTTP:
391         STRICT_CHECK(ch != '/');
392         state = s_res_first_http_major;
393         break;
394 
395       case s_res_first_http_major:
396         if (ch < '1' || ch > '9') goto error;
397         parser->http_major = ch - '0';
398         state = s_res_http_major;
399         break;
400 
401       /* major HTTP version or dot */
402       case s_res_http_major:
403       {
404         if (ch == '.') {
405           state = s_res_first_http_minor;
406           break;
407         }
408 
409         if (ch < '0' || ch > '9') goto error;
410 
411         parser->http_major *= 10;
412         parser->http_major += ch - '0';
413 
414         if (parser->http_major > 999) goto error;
415         break;
416       }
417 
418       /* first digit of minor HTTP version */
419       case s_res_first_http_minor:
420         if (ch < '0' || ch > '9') goto error;
421         parser->http_minor = ch - '0';
422         state = s_res_http_minor;
423         break;
424 
425       /* minor HTTP version or end of request line */
426       case s_res_http_minor:
427       {
428         if (ch == ' ') {
429           state = s_res_first_status_code;
430           break;
431         }
432 
433         if (ch < '0' || ch > '9') goto error;
434 
435         parser->http_minor *= 10;
436         parser->http_minor += ch - '0';
437 
438         if (parser->http_minor > 999) goto error;
439         break;
440       }
441 
442       case s_res_first_status_code:
443       {
444         if (ch < '0' || ch > '9') {
445           if (ch == ' ') {
446             break;
447           }
448           goto error;
449         }
450         parser->status_code = ch - '0';
451         state = s_res_status_code;
452         break;
453       }
454 
455       case s_res_status_code:
456       {
457         if (ch < '0' || ch > '9') {
458           switch (ch) {
459             case ' ':
460               state = s_res_status;
461               break;
462             case CR:
463               state = s_res_line_almost_done;
464               break;
465             case LF:
466               state = s_header_field_start;
467               break;
468             default:
469               goto error;
470           }
471           break;
472         }
473 
474         parser->status_code *= 10;
475         parser->status_code += ch - '0';
476 
477         if (parser->status_code > 999) goto error;
478         break;
479       }
480 
481       case s_res_status:
482         /* the human readable status. e.g. "NOT FOUND"
483          * we are not humans so just ignore this */
484         if (ch == CR) {
485           state = s_res_line_almost_done;
486           break;
487         }
488 
489         if (ch == LF) {
490           state = s_header_field_start;
491           break;
492         }
493         break;
494 
495       case s_res_line_almost_done:
496         STRICT_CHECK(ch != LF);
497         state = s_header_field_start;
498         break;
499 
500       case s_start_req:
501       {
502         if (ch == CR || ch == LF)
503           break;
504         parser->flags = 0;
505         parser->content_length = -1;
506 
507         CALLBACK2(message_begin);
508 
509         if (ch < 'A' || 'Z' < ch) goto error;
510 
511       start_req_method_assign:
512         parser->method = (enum php_http_method) 0;
513         index = 1;
514         switch (ch) {
515           case 'C': parser->method = PHP_HTTP_CONNECT; /* or COPY, CHECKOUT */ break;
516           case 'D': parser->method = PHP_HTTP_DELETE; break;
517           case 'G': parser->method = PHP_HTTP_GET; break;
518           case 'H': parser->method = PHP_HTTP_HEAD; break;
519           case 'L': parser->method = PHP_HTTP_LOCK; break;
520           case 'M': parser->method = PHP_HTTP_MKCOL; /* or MOVE, MKCALENDAR, MKACTIVITY, MERGE, M-SEARCH */ break;
521           case 'N': parser->method = PHP_HTTP_NOTIFY; break;
522           case 'O': parser->method = PHP_HTTP_OPTIONS; break;
523           case 'P': parser->method = PHP_HTTP_POST; /* or PROPFIND or PROPPATCH or PUT */ break;
524           case 'R': parser->method = PHP_HTTP_REPORT; break;
525           case 'S': parser->method = PHP_HTTP_SUBSCRIBE; /* or SEARCH */ break;
526           case 'T': parser->method = PHP_HTTP_TRACE; break;
527           case 'U': parser->method = PHP_HTTP_UNLOCK; /* or UNSUBSCRIBE */ break;
528           default: parser->method = PHP_HTTP_NOT_IMPLEMENTED; break;
529         }
530         state = s_req_method;
531         break;
532       }
533       case s_req_method:
534       {
535         const char *matcher;
536         if (ch == '\0')
537           goto error;
538 
539         matcher = method_strings[parser->method];
540         if (ch == ' ') {
541           if (parser->method != PHP_HTTP_NOT_IMPLEMENTED && matcher[index] != '\0') {
542             parser->method = PHP_HTTP_NOT_IMPLEMENTED;
543           }
544           state = s_req_spaces_before_url;
545         } else if (parser->method == PHP_HTTP_NOT_IMPLEMENTED || ch == matcher[index]) {
546           ; /* nada */
547         } else if (parser->method == PHP_HTTP_CONNECT) {
548           if (index == 1 && ch == 'H') {
549             parser->method = PHP_HTTP_CHECKOUT;
550           } else if (index == 2  && ch == 'P') {
551             parser->method = PHP_HTTP_COPY;
552           } else {
553             parser->method = PHP_HTTP_NOT_IMPLEMENTED;
554           }
555         } else if (parser->method == PHP_HTTP_MKCOL) {
556           if (index == 1 && ch == 'O') {
557             parser->method = PHP_HTTP_MOVE;
558           } else if (index == 3 && ch == 'A') {
559             parser->method = PHP_HTTP_MKCALENDAR;
560           } else if (index == 1 && ch == 'E') {
561             parser->method = PHP_HTTP_MERGE;
562           } else if (index == 1 && ch == '-') {
563             parser->method = PHP_HTTP_MSEARCH;
564           } else if (index == 2 && ch == 'A') {
565             parser->method = PHP_HTTP_MKACTIVITY;
566           } else {
567             parser->method = PHP_HTTP_NOT_IMPLEMENTED;
568           }
569         } else if (index == 1 && parser->method == PHP_HTTP_POST && ch == 'R') {
570           parser->method = PHP_HTTP_PROPFIND; /* or HTTP_PROPPATCH */
571         } else if (index == 1 && parser->method == PHP_HTTP_POST && ch == 'U') {
572           parser->method = PHP_HTTP_PUT;
573         } else if (index == 1 && parser->method == PHP_HTTP_POST && ch == 'A') {
574           parser->method = PHP_HTTP_PATCH;
575         } else if (index == 1 && parser->method == PHP_HTTP_SUBSCRIBE && ch == 'E') {
576           parser->method = PHP_HTTP_SEARCH;
577         } else if (index == 2 && parser->method == PHP_HTTP_UNLOCK && ch == 'S') {
578           parser->method = PHP_HTTP_UNSUBSCRIBE;
579         } else if (index == 4 && parser->method == PHP_HTTP_PROPFIND && ch == 'P') {
580           parser->method = PHP_HTTP_PROPPATCH;
581         } else {
582           parser->method = PHP_HTTP_NOT_IMPLEMENTED;
583         }
584 
585         ++index;
586         break;
587       }
588       case s_req_spaces_before_url:
589       {
590         if (ch == ' ') break;
591 
592         if (ch == '/' || ch == '*') {
593           MARK(url);
594           MARK(path);
595           state = s_req_path;
596           break;
597         }
598 
599         c = LOWER(ch);
600 
601         if (c >= 'a' && c <= 'z') {
602           MARK(url);
603           state = s_req_schema;
604           break;
605         }
606 
607         goto error;
608       }
609 
610       case s_req_schema:
611       {
612         c = LOWER(ch);
613 
614         if (c >= 'a' && c <= 'z') break;
615 
616         if (ch == ':') {
617           state = s_req_schema_slash;
618           break;
619         } else if (ch == '.') {
620           state = s_req_host;
621           break;
622         } else if ('0' <= ch && ch <= '9') {
623           state = s_req_host;
624           break;
625         }
626 
627         goto error;
628       }
629 
630       case s_req_schema_slash:
631         STRICT_CHECK(ch != '/');
632         state = s_req_schema_slash_slash;
633         break;
634 
635       case s_req_schema_slash_slash:
636         STRICT_CHECK(ch != '/');
637         state = s_req_host;
638         break;
639 
640       case s_req_host:
641       {
642         c = LOWER(ch);
643         if (c >= 'a' && c <= 'z') break;
644         if ((ch >= '0' && ch <= '9') || ch == '.' || ch == '-') break;
645         switch (ch) {
646           case ':':
647             state = s_req_port;
648             break;
649           case '/':
650             MARK(path);
651             state = s_req_path;
652             break;
653           case ' ':
654             /* The request line looks like:
655              *   "GET http://foo.bar.com HTTP/1.1"
656              * That is, there is no path.
657              */
658             CALLBACK(url);
659             state = s_req_http_start;
660             break;
661           default:
662             goto error;
663         }
664         break;
665       }
666 
667       case s_req_port:
668       {
669         if (ch >= '0' && ch <= '9') break;
670         switch (ch) {
671           case '/':
672             MARK(path);
673             state = s_req_path;
674             break;
675           case ' ':
676             /* The request line looks like:
677              *   "GET http://foo.bar.com:1234 HTTP/1.1"
678              * That is, there is no path.
679              */
680             CALLBACK(url);
681             state = s_req_http_start;
682             break;
683           default:
684             goto error;
685         }
686         break;
687       }
688 
689       case s_req_path:
690       {
691         if (normal_url_char[(unsigned char)ch]) break;
692 
693         switch (ch) {
694           case ' ':
695             CALLBACK(url);
696             CALLBACK(path);
697             state = s_req_http_start;
698             break;
699           case CR:
700             CALLBACK(url);
701             CALLBACK(path);
702             parser->http_major = 0;
703             parser->http_minor = 9;
704             state = s_req_line_almost_done;
705             break;
706           case LF:
707             CALLBACK(url);
708             CALLBACK(path);
709             parser->http_major = 0;
710             parser->http_minor = 9;
711             state = s_header_field_start;
712             break;
713           case '?':
714             CALLBACK(path);
715             state = s_req_query_string_start;
716             break;
717           case '#':
718             CALLBACK(path);
719             state = s_req_fragment_start;
720             break;
721           default:
722             goto error;
723         }
724         break;
725       }
726 
727       case s_req_query_string_start:
728       {
729         if (normal_url_char[(unsigned char)ch]) {
730           MARK(query_string);
731           state = s_req_query_string;
732           break;
733         }
734 
735         switch (ch) {
736           case '?':
737             break; /* XXX ignore extra '?' ... is this right? */
738           case ' ':
739             CALLBACK(url);
740             state = s_req_http_start;
741             break;
742           case CR:
743             CALLBACK(url);
744             parser->http_major = 0;
745             parser->http_minor = 9;
746             state = s_req_line_almost_done;
747             break;
748           case LF:
749             CALLBACK(url);
750             parser->http_major = 0;
751             parser->http_minor = 9;
752             state = s_header_field_start;
753             break;
754           case '#':
755             state = s_req_fragment_start;
756             break;
757           default:
758             goto error;
759         }
760         break;
761       }
762 
763       case s_req_query_string:
764       {
765         if (normal_url_char[(unsigned char)ch]) break;
766 
767         switch (ch) {
768           case '?':
769             /* allow extra '?' in query string */
770             break;
771           case ' ':
772             CALLBACK(url);
773             CALLBACK(query_string);
774             state = s_req_http_start;
775             break;
776           case CR:
777             CALLBACK(url);
778             CALLBACK(query_string);
779             parser->http_major = 0;
780             parser->http_minor = 9;
781             state = s_req_line_almost_done;
782             break;
783           case LF:
784             CALLBACK(url);
785             CALLBACK(query_string);
786             parser->http_major = 0;
787             parser->http_minor = 9;
788             state = s_header_field_start;
789             break;
790           case '#':
791             CALLBACK(query_string);
792             state = s_req_fragment_start;
793             break;
794           default:
795             goto error;
796         }
797         break;
798       }
799 
800       case s_req_fragment_start:
801       {
802         if (normal_url_char[(unsigned char)ch]) {
803           MARK(fragment);
804           state = s_req_fragment;
805           break;
806         }
807 
808         switch (ch) {
809           case ' ':
810             CALLBACK(url);
811             state = s_req_http_start;
812             break;
813           case CR:
814             CALLBACK(url);
815             parser->http_major = 0;
816             parser->http_minor = 9;
817             state = s_req_line_almost_done;
818             break;
819           case LF:
820             CALLBACK(url);
821             parser->http_major = 0;
822             parser->http_minor = 9;
823             state = s_header_field_start;
824             break;
825           case '?':
826             MARK(fragment);
827             state = s_req_fragment;
828             break;
829           case '#':
830             break;
831           default:
832             goto error;
833         }
834         break;
835       }
836 
837       case s_req_fragment:
838       {
839         if (normal_url_char[(unsigned char)ch]) break;
840 
841         switch (ch) {
842           case ' ':
843             CALLBACK(url);
844             CALLBACK(fragment);
845             state = s_req_http_start;
846             break;
847           case CR:
848             CALLBACK(url);
849             CALLBACK(fragment);
850             parser->http_major = 0;
851             parser->http_minor = 9;
852             state = s_req_line_almost_done;
853             break;
854           case LF:
855             CALLBACK(url);
856             CALLBACK(fragment);
857             parser->http_major = 0;
858             parser->http_minor = 9;
859             state = s_header_field_start;
860             break;
861           case '?':
862           case '#':
863             break;
864           default:
865             goto error;
866         }
867         break;
868       }
869 
870       case s_req_http_start:
871         switch (ch) {
872           case 'H':
873             state = s_req_http_H;
874             break;
875           case ' ':
876             break;
877           default:
878             goto error;
879         }
880         break;
881 
882       case s_req_http_H:
883         STRICT_CHECK(ch != 'T');
884         state = s_req_http_HT;
885         break;
886 
887       case s_req_http_HT:
888         STRICT_CHECK(ch != 'T');
889         state = s_req_http_HTT;
890         break;
891 
892       case s_req_http_HTT:
893         STRICT_CHECK(ch != 'P');
894         state = s_req_http_HTTP;
895         break;
896 
897       case s_req_http_HTTP:
898         STRICT_CHECK(ch != '/');
899         state = s_req_first_http_major;
900         break;
901 
902       /* first digit of major HTTP version */
903       case s_req_first_http_major:
904         if (ch < '1' || ch > '9') goto error;
905         parser->http_major = ch - '0';
906         state = s_req_http_major;
907         break;
908 
909       /* major HTTP version or dot */
910       case s_req_http_major:
911       {
912         if (ch == '.') {
913           state = s_req_first_http_minor;
914           break;
915         }
916 
917         if (ch < '0' || ch > '9') goto error;
918 
919         parser->http_major *= 10;
920         parser->http_major += ch - '0';
921 
922         if (parser->http_major > 999) goto error;
923         break;
924       }
925 
926       /* first digit of minor HTTP version */
927       case s_req_first_http_minor:
928         if (ch < '0' || ch > '9') goto error;
929         parser->http_minor = ch - '0';
930         state = s_req_http_minor;
931         break;
932 
933       /* minor HTTP version or end of request line */
934       case s_req_http_minor:
935       {
936         if (ch == CR) {
937           state = s_req_line_almost_done;
938           break;
939         }
940 
941         if (ch == LF) {
942           state = s_header_field_start;
943           break;
944         }
945 
946         /* XXX allow spaces after digit? */
947 
948         if (ch < '0' || ch > '9') goto error;
949 
950         parser->http_minor *= 10;
951         parser->http_minor += ch - '0';
952 
953         if (parser->http_minor > 999) goto error;
954         break;
955       }
956 
957       /* end of request line */
958       case s_req_line_almost_done:
959       {
960         if (ch != LF) goto error;
961         state = s_header_field_start;
962         break;
963       }
964 
965       case s_header_field_start:
966       {
967         if (ch == CR) {
968           state = s_headers_almost_done;
969           break;
970         }
971 
972         if (ch == LF) {
973           /* they might be just sending \n instead of \r\n so this would be
974            * the second \n to denote the end of headers*/
975           state = s_headers_almost_done;
976           goto headers_almost_done;
977         }
978 
979         c = TOKEN(ch);
980 
981         if (!c) goto error;
982 
983         MARK(header_field);
984 
985         index = 0;
986         state = s_header_field;
987 
988         switch (c) {
989           case 'c':
990             header_state = h_C;
991             break;
992 
993           case 'p':
994             header_state = h_matching_proxy_connection;
995             break;
996 
997           case 't':
998             header_state = h_matching_transfer_encoding;
999             break;
1000 
1001           case 'u':
1002             header_state = h_matching_upgrade;
1003             break;
1004 
1005           default:
1006             header_state = h_general;
1007             break;
1008         }
1009         break;
1010       }
1011 
1012       case s_header_field:
1013       {
1014         c = TOKEN(ch);
1015 
1016         if (c) {
1017           switch (header_state) {
1018             case h_general:
1019               break;
1020 
1021             case h_C:
1022               index++;
1023               header_state = (c == 'o' ? h_CO : h_general);
1024               break;
1025 
1026             case h_CO:
1027               index++;
1028               header_state = (c == 'n' ? h_CON : h_general);
1029               break;
1030 
1031             case h_CON:
1032               index++;
1033               switch (c) {
1034                 case 'n':
1035                   header_state = h_matching_connection;
1036                   break;
1037                 case 't':
1038                   header_state = h_matching_content_length;
1039                   break;
1040                 default:
1041                   header_state = h_general;
1042                   break;
1043               }
1044               break;
1045 
1046             /* connection */
1047 
1048             case h_matching_connection:
1049               index++;
1050               if (index > sizeof(CONNECTION)-1
1051                   || c != CONNECTION[index]) {
1052                 header_state = h_general;
1053               } else if (index == sizeof(CONNECTION)-2) {
1054                 header_state = h_connection;
1055               }
1056               break;
1057 
1058             /* proxy-connection */
1059 
1060             case h_matching_proxy_connection:
1061               index++;
1062               if (index > sizeof(PROXY_CONNECTION)-1
1063                   || c != PROXY_CONNECTION[index]) {
1064                 header_state = h_general;
1065               } else if (index == sizeof(PROXY_CONNECTION)-2) {
1066                 header_state = h_connection;
1067               }
1068               break;
1069 
1070             /* content-length */
1071 
1072             case h_matching_content_length:
1073               index++;
1074               if (index > sizeof(CONTENT_LENGTH)-1
1075                   || c != CONTENT_LENGTH[index]) {
1076                 header_state = h_general;
1077               } else if (index == sizeof(CONTENT_LENGTH)-2) {
1078                 header_state = h_content_length;
1079               }
1080               break;
1081 
1082             /* transfer-encoding */
1083 
1084             case h_matching_transfer_encoding:
1085               index++;
1086               if (index > sizeof(TRANSFER_ENCODING)-1
1087                   || c != TRANSFER_ENCODING[index]) {
1088                 header_state = h_general;
1089               } else if (index == sizeof(TRANSFER_ENCODING)-2) {
1090                 header_state = h_transfer_encoding;
1091               }
1092               break;
1093 
1094             /* upgrade */
1095 
1096             case h_matching_upgrade:
1097               index++;
1098               if (index > sizeof(UPGRADE)-1
1099                   || c != UPGRADE[index]) {
1100                 header_state = h_general;
1101               } else if (index == sizeof(UPGRADE)-2) {
1102                 header_state = h_upgrade;
1103               }
1104               break;
1105 
1106             case h_connection:
1107             case h_content_length:
1108             case h_transfer_encoding:
1109             case h_upgrade:
1110               if (ch != ' ') header_state = h_general;
1111               break;
1112 
1113             default:
1114               assert(0 && "Unknown header_state");
1115               break;
1116           }
1117           break;
1118         }
1119 
1120         if (ch == ':') {
1121           CALLBACK(header_field);
1122           state = s_header_value_start;
1123           break;
1124         }
1125 
1126         if (ch == CR) {
1127           state = s_header_almost_done;
1128           CALLBACK(header_field);
1129           break;
1130         }
1131 
1132         if (ch == LF) {
1133           CALLBACK(header_field);
1134           state = s_header_field_start;
1135           break;
1136         }
1137 
1138         goto error;
1139       }
1140 
1141       case s_header_value_start:
1142       {
1143         if (ch == ' ') break;
1144 
1145         MARK(header_value);
1146 
1147         state = s_header_value;
1148         index = 0;
1149 
1150         c = LOWER(ch);
1151 
1152         if (ch == CR) {
1153           CALLBACK(header_value);
1154           header_state = h_general;
1155           state = s_header_almost_done;
1156           break;
1157         }
1158 
1159         if (ch == LF) {
1160           CALLBACK(header_value);
1161           state = s_header_field_start;
1162           break;
1163         }
1164 
1165         switch (header_state) {
1166           case h_upgrade:
1167             parser->flags |= F_UPGRADE;
1168             header_state = h_general;
1169             break;
1170 
1171           case h_transfer_encoding:
1172             /* looking for 'Transfer-Encoding: chunked' */
1173             if ('c' == c) {
1174               header_state = h_matching_transfer_encoding_chunked;
1175             } else {
1176               header_state = h_general;
1177             }
1178             break;
1179 
1180           case h_content_length:
1181             if (ch < '0' || ch > '9') goto error;
1182             parser->content_length = ch - '0';
1183             break;
1184 
1185           case h_connection:
1186             /* looking for 'Connection: keep-alive' */
1187             if (c == 'k') {
1188               header_state = h_matching_connection_keep_alive;
1189             /* looking for 'Connection: close' */
1190             } else if (c == 'c') {
1191               header_state = h_matching_connection_close;
1192             } else {
1193               header_state = h_general;
1194             }
1195             break;
1196 
1197           default:
1198             header_state = h_general;
1199             break;
1200         }
1201         break;
1202       }
1203 
1204       case s_header_value:
1205       {
1206         c = LOWER(ch);
1207 
1208         if (ch == CR) {
1209           CALLBACK(header_value);
1210           state = s_header_almost_done;
1211           break;
1212         }
1213 
1214         if (ch == LF) {
1215           CALLBACK(header_value);
1216           goto header_almost_done;
1217         }
1218 
1219         switch (header_state) {
1220           case h_general:
1221             break;
1222 
1223           case h_connection:
1224           case h_transfer_encoding:
1225             assert(0 && "Shouldn't get here.");
1226             break;
1227 
1228           case h_content_length:
1229             if (ch == ' ') break;
1230             if (ch < '0' || ch > '9') goto error;
1231             parser->content_length *= 10;
1232             parser->content_length += ch - '0';
1233             break;
1234 
1235           /* Transfer-Encoding: chunked */
1236           case h_matching_transfer_encoding_chunked:
1237             index++;
1238             if (index > sizeof(CHUNKED)-1
1239                 || c != CHUNKED[index]) {
1240               header_state = h_general;
1241             } else if (index == sizeof(CHUNKED)-2) {
1242               header_state = h_transfer_encoding_chunked;
1243             }
1244             break;
1245 
1246           /* looking for 'Connection: keep-alive' */
1247           case h_matching_connection_keep_alive:
1248             index++;
1249             if (index > sizeof(KEEP_ALIVE)-1
1250                 || c != KEEP_ALIVE[index]) {
1251               header_state = h_general;
1252             } else if (index == sizeof(KEEP_ALIVE)-2) {
1253               header_state = h_connection_keep_alive;
1254             }
1255             break;
1256 
1257           /* looking for 'Connection: close' */
1258           case h_matching_connection_close:
1259             index++;
1260             if (index > sizeof(CLOSE)-1 || c != CLOSE[index]) {
1261               header_state = h_general;
1262             } else if (index == sizeof(CLOSE)-2) {
1263               header_state = h_connection_close;
1264             }
1265             break;
1266 
1267           case h_transfer_encoding_chunked:
1268           case h_connection_keep_alive:
1269           case h_connection_close:
1270             if (ch != ' ') header_state = h_general;
1271             break;
1272 
1273           default:
1274             state = s_header_value;
1275             header_state = h_general;
1276             break;
1277         }
1278         break;
1279       }
1280 
1281       case s_header_almost_done:
1282       header_almost_done:
1283       {
1284         STRICT_CHECK(ch != LF);
1285 
1286         state = s_header_field_start;
1287 
1288         switch (header_state) {
1289           case h_connection_keep_alive:
1290             parser->flags |= F_CONNECTION_KEEP_ALIVE;
1291             break;
1292           case h_connection_close:
1293             parser->flags |= F_CONNECTION_CLOSE;
1294             break;
1295           case h_transfer_encoding_chunked:
1296             parser->flags |= F_CHUNKED;
1297             break;
1298           default:
1299             break;
1300         }
1301         break;
1302       }
1303 
1304       case s_headers_almost_done:
1305       headers_almost_done:
1306       {
1307         STRICT_CHECK(ch != LF);
1308 
1309         if (parser->flags & F_TRAILING) {
1310           /* End of a chunked request */
1311           CALLBACK2(message_complete);
1312           state = NEW_MESSAGE();
1313           break;
1314         }
1315 
1316         nread = 0;
1317 
1318         if ((parser->flags & F_UPGRADE) || parser->method == PHP_HTTP_CONNECT) {
1319           parser->upgrade = 1;
1320         }
1321 
1322         /* Here we call the headers_complete callback. This is somewhat
1323          * different than other callbacks because if the user returns 1, we
1324          * will interpret that as saying that this message has no body. This
1325          * is needed for the annoying case of receiving a response to a HEAD
1326          * request.
1327          */
1328         if (settings->on_headers_complete) {
1329           switch (settings->on_headers_complete(parser)) {
1330             case 0:
1331               break;
1332 
1333             case 1:
1334               parser->flags |= F_SKIPBODY;
1335               break;
1336 
1337             default:
1338               return p - data; /* Error */
1339           }
1340         }
1341 
1342         /* We cannot meaningfully support upgrade requests, since we only
1343          * support HTTP/1 for now.
1344          */
1345 #if 0
1346         /* Exit, the rest of the connect is in a different protocol. */
1347         if (parser->upgrade) {
1348           CALLBACK2(message_complete);
1349           return (p - data);
1350         }
1351 #endif
1352 
1353         if (parser->flags & F_SKIPBODY) {
1354           CALLBACK2(message_complete);
1355           state = NEW_MESSAGE();
1356         } else if (parser->flags & F_CHUNKED) {
1357           /* chunked encoding - ignore Content-Length header */
1358           state = s_chunk_size_start;
1359         } else {
1360           if (parser->content_length == 0) {
1361             /* Content-Length header given but zero: Content-Length: 0\r\n */
1362             CALLBACK2(message_complete);
1363             state = NEW_MESSAGE();
1364           } else if (parser->content_length > 0) {
1365             /* Content-Length header given and non-zero */
1366             state = s_body_identity;
1367           } else {
1368             if (parser->type == PHP_HTTP_REQUEST || php_http_should_keep_alive(parser)) {
1369               /* Assume content-length 0 - read the next */
1370               CALLBACK2(message_complete);
1371               state = NEW_MESSAGE();
1372             } else {
1373               /* Read body until EOF */
1374               state = s_body_identity_eof;
1375             }
1376           }
1377         }
1378 
1379         break;
1380       }
1381 
1382       case s_body_identity:
1383         assert(pe >= p);
1384 
1385         to_read = MIN((size_t)(pe - p), (size_t)parser->content_length);
1386         if (to_read > 0) {
1387           if (settings->on_body) settings->on_body(parser, p, to_read);
1388           p += to_read - 1;
1389           parser->content_length -= to_read;
1390           if (parser->content_length == 0) {
1391             CALLBACK2(message_complete);
1392             state = NEW_MESSAGE();
1393           }
1394         }
1395         break;
1396 
1397       /* read until EOF */
1398       case s_body_identity_eof:
1399         to_read = pe - p;
1400         if (to_read > 0) {
1401           if (settings->on_body) settings->on_body(parser, p, to_read);
1402           p += to_read - 1;
1403         }
1404         break;
1405 
1406       case s_chunk_size_start:
1407       {
1408         assert(parser->flags & F_CHUNKED);
1409 
1410         c = unhex[(unsigned char)ch];
1411         if (c == -1) goto error;
1412         parser->content_length = c;
1413         state = s_chunk_size;
1414         break;
1415       }
1416 
1417       case s_chunk_size:
1418       {
1419         assert(parser->flags & F_CHUNKED);
1420 
1421         if (ch == CR) {
1422           state = s_chunk_size_almost_done;
1423           break;
1424         }
1425 
1426         c = unhex[(unsigned char)ch];
1427 
1428         if (c == -1) {
1429           if (ch == ';' || ch == ' ') {
1430             state = s_chunk_parameters;
1431             break;
1432           }
1433           goto error;
1434         }
1435 
1436         parser->content_length *= 16;
1437         parser->content_length += c;
1438         break;
1439       }
1440 
1441       case s_chunk_parameters:
1442       {
1443         assert(parser->flags & F_CHUNKED);
1444         /* just ignore this shit. TODO check for overflow */
1445         if (ch == CR) {
1446           state = s_chunk_size_almost_done;
1447           break;
1448         }
1449         break;
1450       }
1451 
1452       case s_chunk_size_almost_done:
1453       {
1454         assert(parser->flags & F_CHUNKED);
1455         STRICT_CHECK(ch != LF);
1456 
1457         if (parser->content_length == 0) {
1458           parser->flags |= F_TRAILING;
1459           state = s_header_field_start;
1460         } else {
1461           state = s_chunk_data;
1462         }
1463         break;
1464       }
1465 
1466       case s_chunk_data:
1467       {
1468         assert(parser->flags & F_CHUNKED);
1469         assert(pe >= p);
1470 
1471         to_read = MIN((size_t)(pe - p), (size_t)(parser->content_length));
1472 
1473         if (to_read > 0) {
1474           if (settings->on_body) settings->on_body(parser, p, to_read);
1475           p += to_read - 1;
1476         }
1477 
1478         if (to_read == (size_t)parser->content_length) {
1479           state = s_chunk_data_almost_done;
1480         }
1481 
1482         parser->content_length -= to_read;
1483         break;
1484       }
1485 
1486       case s_chunk_data_almost_done:
1487         assert(parser->flags & F_CHUNKED);
1488         STRICT_CHECK(ch != CR);
1489         state = s_chunk_data_done;
1490         break;
1491 
1492       case s_chunk_data_done:
1493         assert(parser->flags & F_CHUNKED);
1494         STRICT_CHECK(ch != LF);
1495         state = s_chunk_size_start;
1496         break;
1497 
1498       default:
1499         assert(0 && "unhandled state");
1500         goto error;
1501     }
1502   }
1503 
1504   CALLBACK_NOCLEAR(header_field);
1505   CALLBACK_NOCLEAR(header_value);
1506   CALLBACK_NOCLEAR(fragment);
1507   CALLBACK_NOCLEAR(query_string);
1508   CALLBACK_NOCLEAR(path);
1509   CALLBACK_NOCLEAR(url);
1510 
1511   parser->state = state;
1512   parser->header_state = header_state;
1513   parser->index = index;
1514   parser->nread = nread;
1515 
1516   return len;
1517 
1518 error:
1519   parser->state = s_dead;
1520   return (p - data);
1521 }
1522 
1523 
1524 int
php_http_should_keep_alive(php_http_parser * parser)1525 php_http_should_keep_alive (php_http_parser *parser)
1526 {
1527   if (parser->http_major > 0 && parser->http_minor > 0) {
1528     /* HTTP/1.1 */
1529     if (parser->flags & F_CONNECTION_CLOSE) {
1530       return 0;
1531     } else {
1532       return 1;
1533     }
1534   } else {
1535     /* HTTP/1.0 or earlier */
1536     if (parser->flags & F_CONNECTION_KEEP_ALIVE) {
1537       return 1;
1538     } else {
1539       return 0;
1540     }
1541   }
1542 }
1543 
1544 
php_http_method_str(enum php_http_method m)1545 const char * php_http_method_str (enum php_http_method m)
1546 {
1547   return method_strings[m];
1548 }
1549 
1550 
1551 void
php_http_parser_init(php_http_parser * parser,enum php_http_parser_type t)1552 php_http_parser_init (php_http_parser *parser, enum php_http_parser_type t)
1553 {
1554   parser->type = t;
1555   parser->state = (t == PHP_HTTP_REQUEST ? s_start_req : (t == PHP_HTTP_RESPONSE ? s_start_res : s_start_req_or_res));
1556   parser->nread = 0;
1557   parser->upgrade = 0;
1558   parser->flags = 0;
1559   parser->method = 0;
1560 }
1561