Merge commit from fork

ericmj · web-flow · commit 47e480274802 · 2026-06-02T11:49:17.000+02:00
`Mint.HTTP1.Parse.content_length_header/1` parsed the header value with `Integer.parse/1`, which accepts an optional `+`/`-` sign prefix. The `length >= 0` guard rejected negatives but let values like `+0` or `+123` through, returning them as valid lengths. RFC 7230 defines `Content-Length = 1*DIGIT`, with no sign permitted. On a connection shared with a strict fronting proxy this parser disagreement is a response-smuggling primitive: the proxy frames the body one way and Mint another. Validate that the trimmed value is one or more digits before converting it, so signs, embedded whitespace, or any non-digit byte are rejected with `:invalid_content_length_header`. Fixes GHSA-mjqx-c6f6-7rc2.
diff --git a/lib/mint/http1/parse.ex b/lib/mint/http1/parse.ex
@@ -18,12 +18,19 @@ defmodule Mint.HTTP1.Parse do
   def ignore_until_crlf(<<_char, rest::binary>>), do: ignore_until_crlf(rest)
 
   def content_length_header(string) do
-    case Integer.parse(String.trim_trailing(string)) do
-      {length, ""} when length >= 0 -> {:ok, length}
-      _other -> {:error, {:invalid_content_length_header, string}}
+    trimmed = String.trim_trailing(string)
+
+    if only_digits?(trimmed) do
+      {:ok, String.to_integer(trimmed)}
+    else
+      {:error, {:invalid_content_length_header, string}}
     end
   end
 
+  defp only_digits?(<<char>>) when is_digit(char), do: true
+  defp only_digits?(<<char, rest::binary>>) when is_digit(char), do: only_digits?(rest)
+  defp only_digits?(_other), do: false
+
   def connection_header(string) do
     split_into_downcase_tokens(string)
   end
diff --git a/test/mint/http1/parse_test.exs b/test/mint/http1/parse_test.exs
@@ -14,6 +14,24 @@ defmodule Mint.HTTP1.ParseTest do
 
     assert content_length_header("-10") ==
              {:error, {:invalid_content_length_header, "-10"}}
+
+    assert content_length_header("+0") ==
+             {:error, {:invalid_content_length_header, "+0"}}
+
+    assert content_length_header("+123") ==
+             {:error, {:invalid_content_length_header, "+123"}}
+
+    assert content_length_header("") ==
+             {:error, {:invalid_content_length_header, ""}}
+
+    assert content_length_header("  100") ==
+             {:error, {:invalid_content_length_header, "  100"}}
+
+    assert content_length_header("1 0") ==
+             {:error, {:invalid_content_length_header, "1 0"}}
+
+    assert content_length_header("0x10") ==
+             {:error, {:invalid_content_length_header, "0x10"}}
   end
 
   test "connection_header/1" do
