From 607909fd9f2495757e50a1480db2ccc1beb4920e Mon Sep 17 00:00:00 2001
From: Leah Neukirchen <leah@vuxu.org>
Date: Mon, 7 Feb 2022 15:17:19 +0100
Subject: send 400 bad request and drop connection on http parse errors

Reported by @ellcs.

Closes #2.
---
 hittpd.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hittpd.c b/hittpd.c
index 0a243b4..7a979a4 100644
--- a/hittpd.c
+++ b/hittpd.c
@@ -263,6 +263,9 @@ accesslog(http_parser *p, int status)
 
 	struct conn_data *data = p->data;
 
+	if (!data->path)
+		return;
+
 	char logtimestamp[64];
 	strftime(logtimestamp, sizeof logtimestamp,
 	    "[%d/%b/%Y:%H:%M:%S %z]", localtime(&now));
@@ -350,6 +353,11 @@ send_error(http_parser *p, int status, const char *msg)
 	char content[512];
 	snprintf(content, sizeof content, "%03d %s\r\n", status, msg);
 
+	if (p->http_major == 0) {
+		p->http_major = 1;
+		p->http_minor = 0;
+	}
+
 	send_response(p, status, msg, "", content);
 
 	return 0;
@@ -933,6 +941,9 @@ read_client(int i)
 			// we handled a complete request, we can reuse
 			// the parser
 			http_parser_pause(&parsers[i], 0);
+		} else if (HTTP_PARSER_ERRNO(&parsers[i]) > 0) {
+			send_error(&parsers[i], 400, "Bad Request");
+			close_connection(i);
 		} else {
 			// the read data was longer than a single request
 			// drop the rest and make sure we close the connection,
-- 
cgit 1.4.1