From 3e53dbbe758a4e2da378ebf0296d8105d4a5804c Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Sun, 28 Jun 2020 20:59:27 +0200
Subject: Ensure HTTP status code text has sensible content

We use the code in error messages, so at least for that edgecase we
should ensure that it has sensible content. Note that the acquire
system aborts on non-sensible message content in SendMessage, so you
can't really exploit this.
---
 methods/basehttp.cc | 3 +++
 methods/basehttp.h  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/methods/basehttp.cc b/methods/basehttp.cc
index b75b450cc..3786e2e6c 100644
--- a/methods/basehttp.cc
+++ b/methods/basehttp.cc
@@ -110,6 +110,9 @@ bool RequestState::HeaderLine(string const &Line)			/*{{{*/
 	 if (sscanf(Line.c_str(),"HTTP %3u%359[^\n]",&Result,Code) != 2)
 	    return _error->Error(_("The HTTP server sent an invalid reply header"));
       }
+      auto const CodeLen = strlen(Code);
+      auto const CodeEnd = std::remove_if(Code, Code + CodeLen, [](char c) { return isprint(c) == 0; });
+      *CodeEnd = '\0';
 
       /* Check the HTTP response header to get the default persistence
          state. */
diff --git a/methods/basehttp.h b/methods/basehttp.h
index 62c9963ea..c0d14d854 100644
--- a/methods/basehttp.h
+++ b/methods/basehttp.h
@@ -60,7 +60,7 @@ struct RequestState
    bool AddPartialFileToHashes(FileFd &File);
 
    RequestState(BaseHttpMethod * const Owner, ServerState * const Server) :
-      Owner(Owner), Server(Server) { time(&Date); }
+      Owner(Owner), Server(Server) { time(&Date); Code[0] = '\0'; }
 };
 struct ServerState
 {
-- 
cgit v1.2.3-18-g5258