From 78b261d376520c02173ea4310efd61855acec9ed Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Tue, 18 Jun 2019 08:59:47 -0400
Subject: Avoid regexp ranges in HTTP inter-protocol exploitation check.

* module/system/repl/server.scm (permissive-http-request-line?): Avoid
character ranges in regexp.
---
 module/system/repl/server.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'module')

diff --git a/module/system/repl/server.scm b/module/system/repl/server.scm
index 725eb4eda..e6c18962f 100644
--- a/module/system/repl/server.scm
+++ b/module/system/repl/server.scm
@@ -230,7 +230,7 @@ and then close it.  Return the drained input as a string."
              (string-append
               "^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT) "
               "[^ ]+ "
-              "HTTP/[0-9]+.[0-9]+$"))))
+              "HTTP/[0123456789]+.[0123456789]+$"))))
     (lambda (line)
       "Return true if LINE might plausibly be an HTTP request-line,
 otherwise return #f."
-- 
cgit v1.2.3