Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit httparse #73

Open
Shnatsel opened this issue Mar 6, 2021 · 1 comment
Open

Audit httparse #73

Shnatsel opened this issue Mar 6, 2021 · 1 comment

Comments

@Shnatsel
Copy link
Member

Shnatsel commented Mar 6, 2021

https://crates.io/crates/httparse is a widely used HTTP parsing crate, most notably powering hyper and reqwest.

cargo-geiger shows the following when httparse is used via reqwest:

Functions  Expressions  Impls  Traits  Methods  Dependency
10/10      198/232      0/0    0/0     3/3      httparse 1.3.5

Unsafe code in parsers it quite dangerous. Binary format parsers are the poster children for memory safety vulnerabilities.

Text format parsers are a bit less dangerous, but having so much unsafe parsing code exposed to untrusted input is still scary.
@LegionMammal978
Copy link

LegionMammal978 commented May 28, 2022
edited
Loading

The str::from_utf8_unchecked() invocations all look correct. The loops assert that every byte in the slice prior to the Bytes iterator's current position is valid, and the checks done on the bytes all imply that the prefix contains valid UTF-8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Shnatsel @LegionMammal978