From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Wed, 18 Nov 2020 20:50:21 -0800 Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` Duplicate `Transfer-Encoding` header should be a treated as a single, but with original header values concatenated with a comma separator. In the light of this, even if the past `Transfer-Encoding` ended with `chunked`, we should be not let the `F_CHUNKED` to leak into the next header, because mere presence of another header indicates that `chunked` is not the last transfer-encoding token. CVE-ID: CVE-2020-8287 PR-URL: https://github.com/nodejs-private/node-private/pull/235 Reviewed-By: Fedor Indutny --- http_parser.c | 7 +++++++ test.c | 26 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/http_parser.c b/http_parser.c index 9be003e7322..e9b2b9e83b9 100644 --- a/http_parser.c +++ b/http_parser.c @@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { parser->header_state = h_transfer_encoding; parser->uses_transfer_encoding = 1; + + /* Multiple `Transfer-Encoding` headers should be treated as + * one, but with values separate by a comma. + * + * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 + */ + parser->flags &= ~F_CHUNKED; } break; diff --git a/test.c b/test.c index 3f7c77b3494..2e5a9ebd678 100644 --- a/test.c +++ b/test.c @@ -2154,6 +2154,32 @@ const struct message responses[] = ,.body= "2\r\nOK\r\n0\r\n\r\n" ,.num_chunks_complete= 0 } +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" + ,.type= HTTP_RESPONSE + ,.raw= "HTTP/1.1 200 OK\r\n" + "Transfer-Encoding: chunked\r\n" + "Transfer-Encoding: identity\r\n" + "\r\n" + "2\r\n" + "OK\r\n" + "0\r\n" + "\r\n" + ,.should_keep_alive= FALSE + ,.message_complete_on_eof= TRUE + ,.http_major= 1 + ,.http_minor= 1 + ,.status_code= 200 + ,.response_status= "OK" + ,.content_length= -1 + ,.num_headers= 2 + ,.headers= + { { "Transfer-Encoding", "chunked" } + , { "Transfer-Encoding", "identity" } + } + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } }; /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so class='content'>
AgeCommit message (Expand)Author
2021-05-25guile: Leave 'scm_install_gmp_memory_functions' unchanged....Since the switch to Guile 3.0.7 using mini-GMP, we can leave 'scm_install_gmp_memory_functions' to its default value, which is to use custom memory allocators; there is no interference with users of GMP such as GnuTLS/Nettle. * gnu/packages/aux-files/guile-launcher.c (main) [!SCM_ENABLE_MINI_GMP]: Leave 'scm_install_gmp_memory_functions' unchanged. Ludovic Courtès
2021-02-07guile: Do not install Guile/libgc allocators for GMP....Fixes <https://bugs.gnu.org/46330>. * gnu/packages/aux-files/guile-launcher.c (main): Clear 'scm_install_gmp_memory_functions'. Ludovic Courtès
2020-12-11guix: 'guile' executable ignores GUILE_LOAD_PATH during startup....When starting the 'guix' command, this ensures Guile modules are immediately found instead of being search for in other directories. This reduces the number of 'stat' calls during startup when GUILE_LOAD_PATH is set to (almost) that of "env -i $(type -P guix)". * gnu/packages/aux-files/guile-launcher.c (load_path) (load_compiled_path): New variables. (inner_main): Restore GUILE_LOAD_PATH and GUILE_LOAD_COMPILED_PATH and set %load-path and %load-compiled-path accordingly. (main): Save GUILE_LOAD_PATH and GUILE_LOAD_COMPILED_PATH and unset them. Ludovic Courtès