From 363778f74fba9d9b85980df0590f8106dfd0a6b0 Mon Sep 17 00:00:00 2001
From: Mikko Rasa <tdb@tdb.fi>
Date: Fri, 9 Dec 2022 19:54:16 +0200
Subject: [PATCH] Reject HTTP messages starting with a linefeed

It would make str[lf-1] invalid.  Also ignore the carriage return at the
end of the first line when parsing a response.
---
 source/http/request.cpp  | 2 ++
 source/http/response.cpp | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/source/http/request.cpp b/source/http/request.cpp
index 54b0bee..15056d6 100644
--- a/source/http/request.cpp
+++ b/source/http/request.cpp
@@ -28,6 +28,8 @@ string Request::str() const
 Request Request::parse(const string &str)
 {
 	string::size_type lf = str.find('\n');
+	if(lf==0)
+		throw invalid_argument("Request::parse");
 	vector<string> parts = split(str.substr(0, lf-(str[lf-1]=='\r')), ' ', 2);
 	if(parts.size()<3)
 		throw invalid_argument("Request::parse");
diff --git a/source/http/response.cpp b/source/http/response.cpp
index 739a20f..6fa4cc3 100644
--- a/source/http/response.cpp
+++ b/source/http/response.cpp
@@ -24,7 +24,9 @@ Response Response::parse(const string &str)
 	Response result;
 
 	string::size_type lf = str.find('\n');
-	vector<string> parts = split(str.substr(0, lf), ' ', 2);
+	if(lf==0)
+		throw invalid_argument("Response::parse");
+	vector<string> parts = split(str.substr(0, lf-(str[lf-1]=='\r')), ' ', 2);
 	if(parts.size()<2)
 		throw invalid_argument("Response::parse");
 
-- 
2.43.0