| # Copyright 2016 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Fuzzer dictionary targetting HTTP/1.x responses. |
| |
| # Entries that are generally useful in headers |
| ":" |
| "\x0A" |
| "\x0D" |
| "0" |
| "50" |
| "500" |
| # Horizontal whitespace. Matters mostly in status line. |
| " " |
| "\x09" |
| # Header continuation |
| "\x0D\x0A\x09" |
| # Used in a lot of individual headers |
| ";" |
| "=" |
| "," |
| "\"" |
| "-" |
| |
| # Status line components |
| "HTTP" |
| "/1.1" |
| "/1.0" |
| # More interesting status codes. Leading space so can be inserted into |
| # other status lines. |
| " 100" |
| " 200" |
| " 206" |
| " 301" |
| " 302" |
| " 303" |
| " 304" |
| " 307" |
| " 308" |
| " 401" |
| " 403" |
| " 404" |
| " 500" |
| " 501" |
| " 403" |
| |
| # Full status lines (Some with relevant following headers) |
| "HTTP/1.1 200 OK\x0A\x0A" |
| "HTTP/1.1 100 Continue\x0A\x0A" |
| "HTTP/1.1 401 Unauthorized\x0AWWW-Authenticate: Basic realm=\"Middle-Earth\"\x0A\xA0" |
| "HTTP/1.1 407 Proxy Authentication Required\x0AProxy-Authenticate: Digest realm=\"Middle-Earth\", nonce=\"aaaaaaaaaa\"\x0A\x0A" |
| "HTTP/1.0 301 Moved Permanently\x0ALocation: /a\x0A\x0A" |
| "HTTP/1.1 302 Found\x0ALocation: http://lost/\x0A\x0A" |
| |
| # Proxy authentication headers. Note that fuzzers don't support NTLM or |
| # negotiate. |
| "WWW-Authenticate:" |
| "Proxy-Authenticate:" |
| "Basic" |
| "Digest" |
| "realm" |
| "nonce" |
| |
| "Connection:" |
| "Proxy-Connection:" |
| "Keep-Alive" |
| "Close" |
| "Upgrade" |
| "\x0AConnection: Keep-Alive" |
| "\x0AConnection: Close" |
| "\x0AProxy-Connection: Keep-Alive" |
| "\x0AProxy-Connection: Close" |
| |
| "Content-Length:" |
| "Transfer-Encoding:" |
| "chunked" |
| "\x0AContent-Length: 0" |
| "\x0AContent-Length: 500" |
| "\x0ATransfer-Encoding: chunked\x0A\x0A5\x0A12345\x0A0\x0A\x0A" |
| |
| "Location:" |
| "\x0ALocation: http://foo/" |
| "\x0ALocation: http://bar/" |
| "\x0ALocation: https://foo/" |
| "\x0ALocation: https://bar/" |
| |
| "Accept-Ranges:" |
| "bytes" |
| "\x0AAccept-Ranges: bytes" |
| |
| "Content-Range:" |
| |
| "Age:" |
| "\x0AAge: 0" |
| "\x0AAge: 3153600000" |
| |
| "Cache-Control:" |
| "max-age" |
| "no-cache" |
| "no-store" |
| "must-revalidate" |
| "\x0ACache-Control: max-age=3153600000" |
| "\x0ACache-Control: max-age=0" |
| "\x0ACache-Control: no-cache" |
| "\x0ACache-Control: no-store" |
| "\x0ACache-Control: must-revalidate" |
| |
| "Content-Disposition:" |
| "attachment" |
| "filename" |
| |
| "Content-Encoding:" |
| "gzip" |
| "deflate" |
| "sdch" |
| "br" |
| "\x0AContent-Encoding: gzip" |
| "\x0AContent-Encoding: deflate" |
| "\x0AContent-Encoding: sdch" |
| "\x0AContent-Encoding: br" |
| |
| "Date:" |
| "Fri, 01 Apr, 2050 14:14:14 GMT" |
| "Mon, 28 Mar, 2016 04:04:04 GMT" |
| "\x0ADate: Fri, 01 Apr, 2050 14:14:14 GMT" |
| "\x0ADate: Mon, 28 Mar, 2016 04:04:04 GMT" |
| |
| "Last-Modified:" |
| "\x0ALast-Modified: Fri, 01 Apr, 2050 14:14:14 GMT" |
| "\x0ALast-Modified: Mon, 28 Mar, 2016 04:04:04 GMT" |
| |
| "Expires:" |
| "\x0AExpires: Fri, 01 Apr, 2050 14:14:14 GMT" |
| "\x0AExpires: Mon, 28 Mar, 2016 04:04:04 GMT" |
| |
| "Set-Cookie:" |
| "Expires" |
| "Max-Age" |
| "Domain" |
| "Path" |
| "Secure" |
| "HttpOnly" |
| "Priority" |
| "Low" |
| "Medium" |
| "High" |
| "SameSite" |
| "Strict" |
| "Lax" |
| "\x0ASet-Cookie: foo=bar" |
| "\x0ASet-Cookie: foo2=bar2;HttpOnly;Priority=Low;SameSite=Strict;Path=/" |
| "\x0ASet-Cookie: foo=chicken;SameSite=Lax" |
| |
| "Strict-Transport-Security:" |
| "includeSubDomains" |
| |
| "Vary:" |
| "\x0AVary: Cookie" |
| "\x0AVary: Age" |
| |
| "ETag:" |
| "\x0AETag: jumboshrimp" |
| |
| |
| # This part has been generated with testing/libfuzzer/dictionary_generator.py |
| # using net_http_stream_parser_fuzzer binary and RFC 2616. |
| "all" |
| "code" |
| "maximum" |
| "Transfer-Encoding" |
| "D.," |
| "results" |
| "follow" |
| "(LZW)." |
| "provided." |
| "(which" |
| "ISDN" |
| "\"TE\"" |
| "LF>" |
| "FORCE" |
| "calculate" |
| "\"IETF" |
| "UNIX," |
| "ARPA" |
| "\"OPTIONAL\"" |
| "environment" |
| "ENGINEERING" |
| "program" |
| "USENET" |
| "TEXT" |
| "Not" |
| "Nov" |
| "include" |
| "resources" |
| "(STD" |
| "labels" |
| "string" |
| "returning" |
| "HTTP/1.1;" |
| "SP," |
| "SP." |
| "entries" |
| "HTTP/1.1," |
| "HTTP/1.1." |
| "difference" |
| "(URI):" |
| "did" |
| "[CRLF]" |
| "EXPRESS" |
| "list" |
| "HTTP/1.0\"," |
| "(RFC" |
| "large" |
| "ONLY" |
| "Tag" |
| "(LWS" |
| "(URL)\"," |
| "\"A\"..\"Z\">" |
| "unexpected" |
| "GET)" |
| "direct" |
| "Failed" |
| "second" |
| "Version" |
| "\"A\"" |
| "allowed." |
| "GET," |
| "tag." |
| "implemented" |
| "\"HTTP/1.0\"" |
| "errors" |
| "ISO-8859-4," |
| "appear" |
| "incompatible" |
| "section" |
| "CPU" |
| "current" |
| "waiting" |
| "version" |
| "above" |
| "TTL" |
| "new" |
| "CRLF)" |
| "public" |
| "FTP" |
| "NNTP." |
| "WWW-" |
| "never" |
| "equals" |
| "\"HTTP/1.1" |
| "reported" |
| "objects" |
| "address" |
| "active" |
| "\"HEAD\"" |
| "[" |
| "\"POST\"" |
| "HTTP." |
| "change" |
| "MA" |
| "\"AS" |
| "last-modified" |
| "BACK)" |
| "NOT" |
| "NNTP" |
| "named" |
| "useful" |
| "secure" |
| "case." |
| "detected." |
| "\"HTTP\"" |
| "private" |
| "CERN/3.0" |
| "CTE" |
| "(CTE)" |
| "Too" |
| "CTL" |
| "PUT," |
| "user-agent" |
| "PUT)" |
| "POST" |
| "select" |
| "use" |
| "TASK" |
| "from" |
| "exception." |
| "working" |
| "to" |
| "positive" |
| "two" |
| "URI;" |
| "properties" |
| "few" |
| "--THIS_STRING_SEPARATES" |
| "POST," |
| "call" |
| "memory" |
| "MUST," |
| "scope" |
| "type" |
| "authorization" |
| "more" |
| "ISO-8859-9," |
| "(GMT)," |
| "(TE)" |
| "name." |
| "LF," |
| "RFC-850" |
| "warn" |
| "bytes," |
| "Found" |
| "cases" |
| "MHTML" |
| "name:" |
| "must" |
| "Content" |
| "ALL" |
| "MHTML," |
| "RIGHTS" |
| "this" |
| "NTP" |
| "work" |
| "--THIS_STRING_SEPARATES--" |
| "Syntax" |
| "can" |
| "of" |
| "following" |
| "\"I" |
| "closing" |
| "root" |
| "example" |
| "requested," |
| "J.," |
| "type." |
| "reserved" |
| "stream" |
| "process" |
| "attribute" |
| "allowed" |
| "high" |
| "currency" |
| "numbers" |
| "want" |
| "type:" |
| "native" |
| "LF" |
| "class," |
| "end" |
| "Missing" |
| "HTTP-" |
| "HTTP," |
| "links" |
| "1" |
| "line." |
| "2*N" |
| "H." |
| "1XX" |
| "WARRANTIES," |
| "HTTP:" |
| "A" |
| "badly" |
| "HEAD" |
| "may" |
| "insecure" |
| "after" |
| "containing" |
| "tracking" |
| "wrong" |
| "[SP" |
| "ANSI," |
| "date" |
| "such" |
| "data" |
| "parallel" |
| "repeat" |
| "a" |
| "FTP," |
| "All" |
| "short" |
| "Y." |
| "UA" |
| "(2**N)," |
| "element" |
| "so" |
| "cases." |
| "File" |
| "(LWS)" |
| "\"DEFLATE" |
| "order" |
| "charset" |
| "\"SHOULD" |
| "don't" |
| "MIC" |
| "move" |
| "vary" |
| "satisfied" |
| "CD-ROM," |
| "HTTP-WG." |
| "LINK," |
| "pointer" |
| "its" |
| "digest" |
| "before" |
| "HTML" |
| "(OK)" |
| "Rules" |
| "MAY," |
| "fix" |
| "ISO-3166" |
| "actually" |
| "407" |
| "(GNU" |
| "\"HTTP/1.1\"," |
| "P.," |
| "401" |
| "MERCHANTABILITY" |
| "DNS." |
| "into" |
| "\"HTTP" |
| "it." |
| "it," |
| "return" |
| "URL" |
| "URI" |
| "number" |
| "Bad" |
| "not" |
| "However," |
| "SSL" |
| "name" |
| "always" |
| "expectation." |
| "--" |
| "ISO-639" |
| "]URI," |
| "found" |
| "trailer" |
| "mean" |
| "breakdown" |
| "From" |
| "UTC" |
| "(via" |
| "(URI)" |
| "UNLINK" |
| "expect" |
| "exceeded" |
| "(MIC)" |
| "event" |
| "out" |
| "is:" |
| "E." |
| "space" |
| "\"MUST/MAY/SHOULD\"" |
| "REQUIRED" |
| "ALPHA" |
| "HTTP/2.4" |
| "4DIGIT" |
| "increase" |
| "L." |
| "time." |
| "PATCH," |
| "supports" |
| "2DIGIT" |
| "K.," |
| "(A," |
| "This" |
| "free" |
| "\"B\"" |
| "RFC" |
| "base" |
| "IMPLIED," |
| "byte" |
| "received." |
| "generate" |
| "text/plain" |
| "ISO-8859-7," |
| "\"HTTP/1.1\"" |
| "Partial" |
| "could" |
| "transition" |
| "DISCLAIMS" |
| "times" |
| "filter" |
| "HTML\"," |
| "length" |
| "HEAD." |
| "HEAD," |
| "S.," |
| "first" |
| "origin" |
| "\"E\"" |
| "already" |
| "UPALPHA" |
| "3DIGIT" |
| "Cache" |
| "Please" |
| "token." |
| "one" |
| "CHAR" |
| "ISI" |
| "another" |
| "FITNESS" |
| "message" |
| "CSS1," |
| "open" |
| "size" |
| "doesn't" |
| "\"" |
| "script" |
| "unknown" |
| "top" |
| "header)" |
| "system" |
| "construct" |
| "image/gif" |
| "2" |
| "ignored." |
| "listed" |
| "Date" |
| "LOALPHA" |
| "scheme" |
| "store" |
| "too" |
| "M." |
| "Success" |
| "that" |
| "completed" |
| "OPTIONAL;" |
| "R" |
| "pragma" |
| "(IANA" |
| "WAIS" |
| "F.," |
| "than" |
| "K." |
| "target" |
| "Content-Type:" |
| "require" |
| "Only" |
| "HTTP/2.13," |
| "headers" |
| "See" |
| "GMT." |
| "HTTP/2.0," |
| "were" |
| "1)" |
| "IS\"" |
| "1*8ALPHA" |
| "are" |
| "and" |
| "IRC/6.9," |
| "false" |
| "turned" |
| "ANSI" |
| "B" |
| "(IANA)" |
| "tables" |
| "have" |
| "MIME," |
| "need" |
| "HTTP/1.1.)" |
| "null" |
| "any" |
| "contents" |
| "data)" |
| "(LZ77)" |
| "(MIME" |
| "mechanism" |
| "internal" |
| "(C)" |
| "take" |
| "which" |
| "With" |
| "UCI" |
| "HTTP/0.9," |
| "content-" |
| "200" |
| "begin" |
| "multiple" |
| "TCP/IP" |
| "Content-Disposition" |
| "206" |
| "buffer" |
| "object" |
| "\"MUST\"," |
| "regular" |
| "entry" |
| "The" |
| "]" |
| "model" |
| "D." |
| "US-ASCII" |
| "L.," |
| "(URL)" |
| "If" |
| "+" |
| "\"MIME" |
| "Note:" |
| "particularly" |
| "WA" |
| "text" |
| "supported" |
| "\"C\"" |
| "Unrecognized" |
| "CRLF." |
| "CRLF," |
| "SP" |
| "find" |
| "MUST" |
| "true," |
| "cache." |
| "upgrade" |
| "cache)" |
| "implementation" |
| "(" |
| "[RFC" |
| "cache" |
| "outside" |
| "should" |
| "failed" |
| "only" |
| "URL)." |
| "LDAP)" |
| "USA" |
| "WARRANTIES" |
| "(UA)" |
| "get" |
| "there" |
| "HEREIN" |
| "\"HTTP\"." |
| "cannot" |
| "shared" |
| "THE" |
| "BNF" |
| "DIGIT," |
| "closure" |
| "PUT" |
| "reading" |
| "resource" |
| "A.," |
| "W." |
| "16" |
| "ISO-8859." |
| "calling" |
| "J." |
| "INCLUDING" |
| "common" |
| "INTERNET" |
| "release" |
| "ISI/RR-98-463," |
| "\"CONNECT\"" |
| "where" |
| "set" |
| "IANA" |
| "For" |
| "\"F\"" |
| "configured" |
| "C" |
| "this," |
| "multipart" |
| "close" |
| "E.," |
| "end." |
| "detect" |
| "GET" |
| "WWW\"," |
| "1*DIGIT" |
| "BUT" |
| "MIT" |
| "3" |
| "unable" |
| "between" |
| "probably" |
| "boundary" |
| "0)" |
| "\"SHALL" |
| "\"RECOMMENDED\"," |
| "available" |
| "we" |
| "FOR" |
| "missing" |
| "importance" |
| "screen" |
| "connection." |
| "PARTICULAR" |
| "UNIX" |
| "STD" |
| "ISO-8859-1" |
| "key" |
| "(MIME)" |
| "P." |
| "\"HTTP/1.1\"." |
| "HTTP/1.0)," |
| "AND" |
| "received" |
| "WWW" |
| "TRACE" |
| "\"MAY\"," |
| "many" |
| "*TEXT" |
| "Unsupported" |
| "using:" |
| "connection" |
| "Unicode" |
| "*OCTET" |
| "exceeds" |
| "(URN)" |
| "safely" |
| "ANY" |
| "can't" |
| "WARRANTY" |
| "ISO-8859-8," |
| "Content-Length" |
| "consume" |
| "simple" |
| "header" |
| "DNS)" |
| "colon" |
| "\"GET\"" |
| "spans" |
| "1*HEX" |
| "table" |
| "allocated" |
| "BCP" |
| "application/pdf" |
| "LWS:" |
| "save" |
| "\"REQUIRED\"," |
| "Wed," |
| "C." |
| "C," |
| "encryption" |
| "create" |
| "(MHTML)\"," |
| "been" |
| "." |
| "HTTP/12.3." |
| "\"PUT\"" |
| "context." |
| "LWS," |
| "basic" |
| "expected" |
| "prototype" |
| "GMT," |
| "empty" |
| "define" |
| "PNG,\"" |
| "\"D\"" |
| "with" |
| "CA" |
| "HEX" |
| "N" |
| "0*3DIGIT" |
| "\"W/\"" |
| "CR" |
| "\"DELETE\"" |
| "unnecessarily" |
| "case" |
| "exception" |
| "(A" |
| "(HTTP)" |
| "value" |
| "INFRINGE" |
| "while" |
| "\"GZIP" |
| "\"SHALL\"," |
| "error" |
| "\"GMT\"" |
| "(LWS)." |
| "resident" |
| "is" |
| "thus" |
| "it" |
| "encountered" |
| "parse" |
| "MIME" |
| "in" |
| "SIGCOMM" |
| "You" |
| "if" |
| "result" |
| "binary" |
| "different" |
| "\"A" |
| ")" |
| "CREATE" |
| "expired" |
| "1DIGIT" |
| "same" |
| "OPTIONS" |
| "transfer-encoding" |
| "BNF," |
| "unrecognized" |
| "units" |
| "UST" |
| "status" |
| "\"%" |
| "used" |
| "http" |
| "context" |
| "I" |
| "IP" |
| "(O)." |
| "allocation" |
| "running" |
| "*LWS" |
| "user" |
| "SMTP" |
| "\"SHOULD\"," |
| "stack" |
| "task" |
| "CR." |
| "failing" |
| "IETF" |
| "M.," |
| "Names" |
| "In" |
| "position" |
| "the" |
| "audio" |
| "left" |
| "US-ASCII." |
| "MAY" |
| "THAT" |
| "being" |
| "(OK)." |
| "actions" |
| "invalid" |
| "HTTP/1.0)" |
| "CRC." |
| "previous" |
| "adding" |
| "TO" |
| "<US-ASCII" |
| "source" |
| "ISO-8859-2," |
| "\"OPTIONS\"" |
| "location" |
| "HTTP/1.0" |
| "HTTP/1.1" |
| "size," |
| "has" |
| "match" |
| "build" |
| "URI." |
| "tests" |
| "format" |
| "read" |
| "H.," |
| "T" |
| "using" |
| "LIMITED" |
| "OK" |
| "text/html" |
| "success" |
| "ISO-8859-5," |
| "B," |
| "signal" |
| "MIME:" |
| "(HTCPCP/1.0)\"," |
| "server" |
| "ignore" |
| "OF" |
| "output" |
| "page" |
| "S." |
| "because" |
| "old" |
| "sequence" |
| "HT." |
| "B.," |
| "some" |
| "back" |
| "HT" |
| "Last-Modified" |
| "growth" |
| "DEL" |
| "specified" |
| "unless" |
| "H.F.," |
| "HTTP/1.0." |
| "(BNF)" |
| "happens" |
| "discarded" |
| "PUT." |
| "INDEX." |
| "trace" |
| "for" |
| "avoid" |
| "CR," |
| "does" |
| "CONNECT" |
| "assuming" |
| "be" |
| "run" |
| "GET." |
| "deleted" |
| "equivalent" |
| "X3.4-1986" |
| "<URL:" |
| "O" |
| "ISO-8859-1." |
| "broken" |
| "host" |
| "HTTP/1.0," |
| "LWS>" |
| "INFORMATION" |
| "X3.4-1986," |
| "by" |
| "ALPHA," |
| "Location" |
| "on" |
| "DIGIT" |
| "actual" |
| "extension" |
| "tracing" |
| "R.," |
| "\"UTF-8," |
| "*<TEXT," |
| "OR" |
| "range" |
| "3ALPHA" |
| "URI," |
| "value." |
| "Message" |
| "DELETE" |
| "content-type" |
| "or" |
| "UC" |
| "No" |
| "ISO-" |
| "image" |
| "ACM" |
| "HEX\"" |
| "URL," |
| "ISO-8859-6," |
| "T.," |
| "operator" |
| "T/TCP" |
| "file." |
| "GET\"" |
| "transfer" |
| "support" |
| "*" |
| "long" |
| "class" |
| "start" |
| "forward" |
| "was" |
| "function" |
| "HT," |
| "N." |
| "HTTP/1.1\"," |
| "OCTET" |
| "but" |
| "failure" |
| "TE:" |
| "IMPLIED" |
| "CRLF" |
| "DNS" |
| "Error" |
| "\"ZLIB" |
| "line" |
| "trying" |
| "true" |
| "GMT" |
| "count" |
| "default" |
| "B." |
| "ISO-8859-1," |
| "up" |
| "ISO-8859-1)" |
| "SHOULD" |
| "PURPOSE." |
| "used." |
| "WILL" |
| ">" |
| "called" |
| "delete" |
| "DELETE," |
| "storing" |
| "USE" |
| "image/jpeg" |
| "defined" |
| "LWS" |
| "URL." |
| "unsafe" |
| "an" |
| "To" |
| "as" |
| "warning" |
| "exist" |
| "at" |
| "file" |
| "NOT\"" |
| "NOT," |
| "W3C/MIT" |
| "ISO-8859-1:1987." |
| "SHTTP/1.3," |
| "no" |
| "when" |
| "A," |
| "virtual" |
| "A." |
| "details." |
| "application" |
| "valid" |
| "OPTIONAL" |
| "\"TRACE\"" |
| "test" |
| "MD5" |
| "you" |
| "TE" |
| "ISO-8859-3," |
| "requested" |
| "elements" |
| "C)" |
| "symbol" |
| "T." |
| "code)" |
| "variable" |
| "SOCIETY" |
| "\"MUST" |
| "TCP" |
| "ISO-10646\"," |
| "NOT\"," |
| "R." |
| "audio/basic" |
| "IANA." |
| "\"WAIS" |
| "persistent" |
| "Its" |
| "As" |
| "time" |
| "failures" |
| "\"ISO-8859-1\"" |
| "once" |
| |