From b111ef717eaefe876cb02e6930cf4668d2138c1a Mon Sep 17 00:00:00 2001
From: wangkx <kevin.wang@lexisnexis.com>
Date: Tue, 3 Oct 2023 08:59:07 -0400
Subject: [PATCH] HPCC-30231 Handle HTTP headers/path case insensitively

Also fix the partial string matching

Signed-off-by: wangkx <kevin.wang@lexisnexis.com>
---
 esp/bindings/http/client/httpclient.cpp      |  1 +
 esp/bindings/http/platform/httptransport.cpp | 46 +++++++++++++++++++-
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/esp/bindings/http/client/httpclient.cpp b/esp/bindings/http/client/httpclient.cpp
index 6f9968ea850..38061770de5 100644
--- a/esp/bindings/http/client/httpclient.cpp
+++ b/esp/bindings/http/client/httpclient.cpp
@@ -516,6 +516,7 @@ void copyHeaders(CHttpMessage &copyTo, CHttpMessage &copyFrom, bool resetForward
                 }
                 break;
             case 'X':
+            case 'x':
                 if (strieq(name, "X-Forwarded-For"))
                 {
                     if (resetForwardedFor)
diff --git a/esp/bindings/http/platform/httptransport.cpp b/esp/bindings/http/platform/httptransport.cpp
index 258c853fcdd..49461934a59 100644
--- a/esp/bindings/http/platform/httptransport.cpp
+++ b/esp/bindings/http/platform/httptransport.cpp
@@ -798,6 +798,49 @@ void CHttpMessage::logSOAPMessage(const char* message, const char* prefix)
     return;
 }
 
+static const char* POST_METHOD_STR = "POST ";
+static bool skipLogContent(const char* httpHeader)
+{
+    if (!startsWith(httpHeader, POST_METHOD_STR))
+        return false;
+
+    const char* servicePtr = httpHeader + 5;
+    if (isEmptyString(servicePtr) || (servicePtr[0] != '/'))
+        return false;
+
+    const char* methodPtr = strchr(++servicePtr, '/');
+    if (!methodPtr)
+        return false;
+
+    unsigned serviceType = 0;
+    if (startsWithIgnoreCase(servicePtr, "ws_access/"))
+        serviceType = 1;
+    else if (startsWithIgnoreCase(servicePtr, "ws_account/"))
+        serviceType = 2;
+    if (serviceType == 0)
+        return false;
+
+    StringBuffer espMethod;
+    const char* tail = strchr(++methodPtr, '.');
+    if (tail && (startsWithIgnoreCase(tail, ".xml") || startsWithIgnoreCase(tail, ".json")))
+        espMethod.append(tail - methodPtr, methodPtr);
+    else
+    {
+        tail = strchr(methodPtr, '?');
+        if (!tail)
+            tail = strchr(methodPtr, ' ');
+        if (tail)
+            espMethod.append(tail - methodPtr, methodPtr);
+        else
+            espMethod.append(methodPtr);
+    }
+
+    if (serviceType == 1)
+        return (strieq(espMethod, "AddUser") || strieq(espMethod, "UserResetPass"));
+
+    return strieq(espMethod, "UpdateUser");
+}
+
 void CHttpMessage::logMessage(MessageLogFlag messageLogFlag, const char *prefix)
 {
     logMessage(messageLogFlag, m_content, prefix);
@@ -812,8 +855,7 @@ void CHttpMessage::logMessage(MessageLogFlag messageLogFlag, StringBuffer& conte
 
         if (((messageLogFlag == LOGCONTENT) || (messageLogFlag == LOGALL)) && (content.length() > 0))
         {//log content
-            if ((m_header.length() > 0) && (startsWith(m_header.str(), "POST /ws_access/AddUser")
-                || startsWith(m_header.str(), "POST /ws_access/UserResetPass") || startsWith(m_header.str(), "POST /ws_account/UpdateUser")))
+            if (skipLogContent(m_header))
                 DBGLOG("%s<For security, ESP does not log the content of this request.>", prefix);
             else if (isSoapMessage())
                 logSOAPMessage(content.str(), prefix);