Actually silently ignore GET / OCSP requests

Reviewed-by: Matt Caswell <matt@openssl.org>
2019-07-15 13:12:04 -04:00 · 2019-07-15 13:12:04 -04:00 · 5fe499cb75
commit 5fe499cb75
parent 12df11bdf1
1 changed files with 4 additions and 2 deletions
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -1436,9 +1436,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
        *q = '\0';

        /*
-         * Skip "GET / HTTP..." requests often used by load-balancers
+         * Skip "GET / HTTP..." requests often used by load-balancers.  Note:
+         * 'p' was incremented above to point to the first byte *after* the
+         * leading slash, so with 'GET / ' it is now an empty string.
         */
-        if (p[1] == '\0')
+        if (p[0] == '\0')
            goto out;

        len = urldecode(p);