Skip to content

Commit 9ce3e49

Browse files
yknoyamaskit
andauthored
Make chunk size parsing more strict (#12187)
Co-authored-by: Masakazu Kitajo <maskit@apache.org>
1 parent a79a04c commit 9ce3e49

2 files changed

Lines changed: 50 additions & 3 deletions

File tree

src/proxy/http/HttpTunnel.cc

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -183,9 +183,10 @@ ChunkedHandler::read_size()
183183
}
184184
} else {
185185
// We are done parsing size
186-
if ((num_digits == 0 || running_sum < 0) || /* Bogus chunk size */
187-
(!ParseRules::is_wslfcr(*tmp) && *tmp != ';') /* Unexpected character */
188-
) {
186+
const auto is_bogus_chunk_size = (num_digits == 0 || running_sum < 0);
187+
const auto is_rfc_compliant_char = (ParseRules::is_ws(*tmp) || ParseRules::is_cr(*tmp) || *tmp == ';');
188+
const auto is_acceptable_lf = (ParseRules::is_lf(*tmp) && !strict_chunk_parsing);
189+
if (is_bogus_chunk_size || (!is_rfc_compliant_char && !is_acceptable_lf)) {
189190
state = CHUNK_READ_ERROR;
190191
done = true;
191192
break;

tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,3 +236,49 @@ sessions:
236236
encoding: uri
237237
# Chunk header must end with a sequence of CRLF.
238238
data: 3;x%0Adef%0D%0A0%0D%0A%0D%0A
239+
240+
- transactions:
241+
- client-request:
242+
method: "GET"
243+
version: "1.1"
244+
url: /response/malformed/chunk/size2
245+
headers:
246+
fields:
247+
- [ Host, example.com ]
248+
- [ uuid, 106 ]
249+
250+
# The connection will be dropped and this response will not go out.
251+
server-response:
252+
status: 200
253+
reason: OK
254+
headers:
255+
fields:
256+
- [ Transfer-Encoding, chunked ]
257+
content:
258+
transfer: plain
259+
encoding: uri
260+
# Chunk header must end with a sequence of CRLF.
261+
data: 3%0Ddef%0D%0A0%0D%0A%0D%0A
262+
263+
- transactions:
264+
- client-request:
265+
method: "GET"
266+
version: "1.1"
267+
url: /response/malformed/chunk/size2
268+
headers:
269+
fields:
270+
- [ Host, example.com ]
271+
- [ uuid, 107 ]
272+
273+
# The connection will be dropped and this response will not go out.
274+
server-response:
275+
status: 200
276+
reason: OK
277+
headers:
278+
fields:
279+
- [ Transfer-Encoding, chunked ]
280+
content:
281+
transfer: plain
282+
encoding: uri
283+
# Chunk header must end with a sequence of CRLF.
284+
data: 3%0Adef%0D%0A0%0D%0A%0D%0A

0 commit comments

Comments
 (0)