HTP  0.5
Data Structures | Macros | Typedefs | Enumerations | Functions
htp_multipart.h File Reference
#include "bstr.h"
#include "htp.h"
#include "htp_table.h"

Go to the source code of this file.

Data Structures

struct  htp_multipart_t
 
struct  htp_multipart_part_t
 

Macros

#define HTP_MULTIPART_LF_LINE   0x0001
 
#define HTP_MULTIPART_CRLF_LINE   0x0002
 
#define HTP_MULTIPART_BBOUNDARY_LWS_AFTER   0x0004
 
#define HTP_MULTIPART_BBOUNDARY_NLWS_AFTER   0x0008
 
#define HTP_MULTIPART_HAS_PREAMBLE   0x0010
 
#define HTP_MULTIPART_HAS_EPILOGUE   0x0020
 
#define HTP_MULTIPART_SEEN_LAST_BOUNDARY   0x0040
 
#define HTP_MULTIPART_PART_AFTER_LAST_BOUNDARY   0x0080
 
#define HTP_MULTIPART_INCOMPLETE   0x0100
 
#define HTP_MULTIPART_HBOUNDARY_INVALID   0x0200
 
#define HTP_MULTIPART_HBOUNDARY_UNUSUAL   0x0400
 
#define HTP_MULTIPART_HBOUNDARY_QUOTED   0x0800
 
#define HTP_MULTIPART_PART_HEADER_FOLDING   0x1000
 
#define HTP_MULTIPART_PART_UNKNOWN   0x2000
 
#define HTP_MULTIPART_PART_HEADER_REPEATED   0x4000
 
#define HTP_MULTIPART_PART_HEADER_UNKNOWN   0x8000
 
#define HTP_MULTIPART_PART_HEADER_INVALID   0x10000
 
#define HTP_MULTIPART_CD_TYPE_INVALID   0x20000
 
#define HTP_MULTIPART_CD_PARAM_REPEATED   0x40000
 
#define HTP_MULTIPART_CD_PARAM_UNKNOWN   0x80000
 
#define HTP_MULTIPART_CD_SYNTAX_INVALID   0x100000
 
#define HTP_MULTIPART_PART_INCOMPLETE   0x200000
 
#define HTP_MULTIPART_NUL_BYTE   0x400000
 
#define HTP_MULTIPART_CD_INVALID
 
#define HTP_MULTIPART_PART_INVALID
 
#define HTP_MULTIPART_INVALID
 
#define HTP_MULTIPART_UNUSUAL
 
#define HTP_MULTIPART_UNUSUAL_PARANOID
 
#define HTP_MULTIPART_MIME_TYPE   "multipart/form-data"
 

Typedefs

typedef struct htp_mpartp_t htp_mpartp_t
 
typedef struct htp_multipart_t htp_multipart_t
 
typedef struct htp_multipart_part_t htp_multipart_part_t
 

Enumerations

enum  htp_multipart_type_t {
  MULTIPART_PART_UNKNOWN = 0, MULTIPART_PART_TEXT = 1, MULTIPART_PART_FILE = 2, MULTIPART_PART_PREAMBLE = 3,
  MULTIPART_PART_EPILOGUE = 4
}
 

Functions

htp_mpartp_thtp_mpartp_create (htp_cfg_t *cfg, bstr *boundary, uint64_t flags)
 
htp_status_t htp_mpartp_find_boundary (bstr *content_type, bstr **boundary, uint64_t *multipart_flags)
 
htp_multipart_thtp_mpartp_get_multipart (htp_mpartp_t *parser)
 
void htp_mpartp_destroy (htp_mpartp_t *parser)
 
htp_status_t htp_mpartp_finalize (htp_mpartp_t *parser)
 
htp_status_t htp_mpartp_parse (htp_mpartp_t *parser, const void *data, size_t len)
 

Detailed Description

Author
Ivan Ristic ivanr.nosp@m.@web.nosp@m.kreat.nosp@m.or.c.nosp@m.om

Macro Definition Documentation

#define HTP_MULTIPART_BBOUNDARY_LWS_AFTER   0x0004

Seen LWS after a boundary instance in the body. Unusual.

#define HTP_MULTIPART_BBOUNDARY_NLWS_AFTER   0x0008

Seen non-LWS content after a boundary instance in the body. Highly unusual.

#define HTP_MULTIPART_CD_INVALID
Value:
( \
#define HTP_MULTIPART_CD_PARAM_UNKNOWN
Definition: htp_multipart.h:142
#define HTP_MULTIPART_CD_TYPE_INVALID
Definition: htp_multipart.h:136
#define HTP_MULTIPART_CD_PARAM_REPEATED
Definition: htp_multipart.h:139
#define HTP_MULTIPART_CD_SYNTAX_INVALID
Definition: htp_multipart.h:145

A collection of flags that all indicate an invalid C-D header.

#define HTP_MULTIPART_CD_PARAM_REPEATED   0x40000

Content-Disposition part header with multiple parameters with the same name.

#define HTP_MULTIPART_CD_PARAM_UNKNOWN   0x80000

Unknown Content-Disposition parameter.

#define HTP_MULTIPART_CD_SYNTAX_INVALID   0x100000

Invalid Content-Disposition syntax.

#define HTP_MULTIPART_CD_TYPE_INVALID   0x20000

Part type specified in the C-D header is neither MULTIPART_PART_TEXT nor MULTIPART_PART_FILE.

#define HTP_MULTIPART_CRLF_LINE   0x0002

Seen a CRLF line in the payload. This is normal and expected.

#define HTP_MULTIPART_HAS_EPILOGUE   0x0020

Payload has an epilogue part. Unusual.

#define HTP_MULTIPART_HAS_PREAMBLE   0x0010

Payload has a preamble part. Might not be that unusual.

#define HTP_MULTIPART_HBOUNDARY_INVALID   0x0200

The boundary in the Content-Type header is invalid.

#define HTP_MULTIPART_HBOUNDARY_QUOTED   0x0800

The boundary in the Content-Type header is quoted. This is very unusual, and may be indicative of an evasion attempt.

#define HTP_MULTIPART_HBOUNDARY_UNUSUAL   0x0400

The boundary in the Content-Type header is unusual. This may mean that evasion is attempted, but it could also mean that we have encountered a client that does not do things in the way it should.

#define HTP_MULTIPART_INCOMPLETE   0x0100

The payloads ends abruptly, without proper termination. Can occur if the client gives up, or if the connection is interrupted. When this flag is raised, HTP_MULTIPART_PART_INCOMPLETE will also be raised for the part that was only partially processed. (But the opposite may not always be the case – there are other ways in which a part can be left incomplete.)

#define HTP_MULTIPART_INVALID
Value:
( \
#define HTP_MULTIPART_PART_AFTER_LAST_BOUNDARY
Definition: htp_multipart.h:91
#define HTP_MULTIPART_PART_INVALID
Definition: htp_multipart.h:165
#define HTP_MULTIPART_INCOMPLETE
Definition: htp_multipart.h:99
#define HTP_MULTIPART_HBOUNDARY_INVALID
Definition: htp_multipart.h:102

A collection of flags that all indicate an invalid Multipart payload.

#define HTP_MULTIPART_LF_LINE   0x0001

Seen a LF line in the payload. LF lines are not allowed, but some clients do use them and some backends do accept them. Mixing LF and CRLF lines within some payload might be unusual.

#define HTP_MULTIPART_MIME_TYPE   "multipart/form-data"
#define HTP_MULTIPART_NUL_BYTE   0x400000

A NUL byte was seen in a part header area.

#define HTP_MULTIPART_PART_AFTER_LAST_BOUNDARY   0x0080

There was a part after the last boundary. This is highly irregular and indicative of evasion.

#define HTP_MULTIPART_PART_HEADER_FOLDING   0x1000

Header folding was used in part headers. Very unusual.

#define HTP_MULTIPART_PART_HEADER_INVALID   0x10000

Invalid part header encountered.

#define HTP_MULTIPART_PART_HEADER_REPEATED   0x4000

There was a repeated part header, possibly in an attempt to confuse the parser. Very unusual.

#define HTP_MULTIPART_PART_HEADER_UNKNOWN   0x8000

Unknown part header encountered.

#define HTP_MULTIPART_PART_INCOMPLETE   0x200000

There is an abruptly terminated part. This can happen when the payload itself is abruptly terminated (in which case HTP_MULTIPART_INCOMPLETE) will be raised. However, it can also happen when a boundary is seen before any part data.

#define HTP_MULTIPART_PART_INVALID
Value:
( \
#define HTP_MULTIPART_CD_INVALID
Definition: htp_multipart.h:158
#define HTP_MULTIPART_NUL_BYTE
Definition: htp_multipart.h:155
#define HTP_MULTIPART_PART_HEADER_INVALID
Definition: htp_multipart.h:133
#define HTP_MULTIPART_PART_UNKNOWN
Definition: htp_multipart.h:124
#define HTP_MULTIPART_PART_HEADER_UNKNOWN
Definition: htp_multipart.h:130
#define HTP_MULTIPART_PART_INCOMPLETE
Definition: htp_multipart.h:152
#define HTP_MULTIPART_PART_HEADER_REPEATED
Definition: htp_multipart.h:127

A collection of flags that all indicate an invalid part.

#define HTP_MULTIPART_PART_UNKNOWN   0x2000

A part of unknown type was encountered, which probably means that the part is lacking a Content-Disposition header, or that the header is invalid. Highly unusual.

#define HTP_MULTIPART_SEEN_LAST_BOUNDARY   0x0040

The last boundary was seen in the payload. Absence of the last boundary may not break parsing with some (most?) backends, but it means that the payload is not well formed. Can occur if the client gives up, or if the connection is interrupted. Incomplete payloads should be blocked whenever possible.

#define HTP_MULTIPART_UNUSUAL
Value:
( \
#define HTP_MULTIPART_HBOUNDARY_QUOTED
Definition: htp_multipart.h:115
#define HTP_MULTIPART_INVALID
Definition: htp_multipart.h:175
#define HTP_MULTIPART_PART_HEADER_FOLDING
Definition: htp_multipart.h:118
#define HTP_MULTIPART_HAS_EPILOGUE
Definition: htp_multipart.h:77
#define HTP_MULTIPART_BBOUNDARY_NLWS_AFTER
Definition: htp_multipart.h:67

A collection of flags that all indicate an unusual Multipart payload.

#define HTP_MULTIPART_UNUSUAL_PARANOID
Value:
( \
#define HTP_MULTIPART_HAS_PREAMBLE
Definition: htp_multipart.h:72
#define HTP_MULTIPART_UNUSUAL
Definition: htp_multipart.h:182
#define HTP_MULTIPART_BBOUNDARY_LWS_AFTER
Definition: htp_multipart.h:64
#define HTP_MULTIPART_LF_LINE
Definition: htp_multipart.h:58

A collection of flags that all indicate an unusual Multipart payload, with a low sensitivity to irregularities.

Typedef Documentation

typedef struct htp_mpartp_t htp_mpartp_t

Holds multipart parser configuration and state. Private.

Holds information related to a part.

Holds information related to a multipart body.

Enumeration Type Documentation

Enumerator
MULTIPART_PART_UNKNOWN 

Unknown part.

MULTIPART_PART_TEXT 

Text (parameter) part.

MULTIPART_PART_FILE 

File part.

MULTIPART_PART_PREAMBLE 

Free-text part before the first boundary.

MULTIPART_PART_EPILOGUE 

Free-text part after the last boundary.

Function Documentation

htp_mpartp_t* htp_mpartp_create ( htp_cfg_t cfg,
bstr boundary,
uint64_t  flags 
)

Creates a new multipart/form-data parser. On a successful invocation, the ownership of the boundary parameter is transferred to the parser.

Parameters
[in]cfg
[in]boundary
[in]flags
Returns
New parser instance, or NULL on memory allocation failure.
void htp_mpartp_destroy ( htp_mpartp_t parser)

Destroys the provided parser.

Parameters
[in]parser
htp_status_t htp_mpartp_finalize ( htp_mpartp_t parser)

Finalize parsing.

Parameters
[in]parser
Returns
HTP_OK on success, HTP_ERROR on failure.
htp_status_t htp_mpartp_find_boundary ( bstr content_type,
bstr **  boundary,
uint64_t *  multipart_flags 
)

Looks for boundary in the supplied Content-Type request header. The extracted boundary will be allocated on the heap.

Parameters
[in]content_type
[out]boundary
[out]multipart_flagsMultipart flags, which are not compatible from general LibHTP flags.
Returns
HTP_OK on success (boundary found), HTP_DECLINED if boundary was not found, and HTP_ERROR on failure. Flags may be set on HTP_OK and HTP_DECLINED. For example, if a boundary could not be extracted but there is indication that one is present, HTP_MULTIPART_HBOUNDARY_INVALID will be set.
htp_multipart_t* htp_mpartp_get_multipart ( htp_mpartp_t parser)

Returns the multipart structure created by the parser.

Parameters
[in]parser
Returns
The main multipart structure.
htp_status_t htp_mpartp_parse ( htp_mpartp_t parser,
const void *  data,
size_t  len 
)

Parses a chunk of multipart/form-data data. This function should be called as many times as necessary until all data has been consumed.

Parameters
[in]parser
[in]data
[in]len
Returns
HTP_OK on success, HTP_ERROR on failure.