From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Wed, 18 Nov 2020 20:50:21 -0800 Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` Duplicate `Transfer-Encoding` header should be a treated as a single, but with original header values concatenated with a comma separator. In the light of this, even if the past `Transfer-Encoding` ended with `chunked`, we should be not let the `F_CHUNKED` to leak into the next header, because mere presence of another header indicates that `chunked` is not the last transfer-encoding token. CVE-ID: CVE-2020-8287 PR-URL: https://github.com/nodejs-private/node-private/pull/235 Reviewed-By: Fedor Indutny --- http_parser.c | 7 +++++++ test.c | 26 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/http_parser.c b/http_parser.c index 9be003e7322..e9b2b9e83b9 100644 --- a/http_parser.c +++ b/http_parser.c @@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { parser->header_state = h_transfer_encoding; parser->uses_transfer_encoding = 1; + + /* Multiple `Transfer-Encoding` headers should be treated as + * one, but with values separate by a comma. + * + * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 + */ + parser->flags &= ~F_CHUNKED; } break; diff --git a/test.c b/test.c index 3f7c77b3494..2e5a9ebd678 100644 --- a/test.c +++ b/test.c @@ -2154,6 +2154,32 @@ const struct message responses[] = ,.body= "2\r\nOK\r\n0\r\n\r\n" ,.num_chunks_complete= 0 } +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" + ,.type= HTTP_RESPONSE + ,.raw= "HTTP/1.1 200 OK\r\n" + "Transfer-Encoding: chunked\r\n" + "Transfer-Encoding: identity\r\n" + "\r\n" + "2\r\n" + "OK\r\n" + "0\r\n" + "\r\n" + ,.should_keep_alive= FALSE + ,.message_complete_on_eof= TRUE + ,.http_major= 1 + ,.http_minor= 1 + ,.status_code= 200 + ,.response_status= "OK" + ,.content_length= -1 + ,.num_headers= 2 + ,.headers= + { { "Transfer-Encoding", "chunked" } + , { "Transfer-Encoding", "identity" } + } + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } }; /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so 1'>Expand)Author 2020-08-02services: Add zram-device-service....* gnu/services/linux.scm (<zram-device-configuration>): New record. (zram-device-service-type): New variable. * doc/guix.texi (Linux Services): Document it. * tests/services/linux.scm (zram-swap-device-test): New tests. Efraim Flashner sane)[arguments]: Use SEARCH-INPUT-FILE. Change-Id: I4c4423cf1808f5934d97fd20bf25ac074d5617b2 2024-08-18gnu: xsane: Update package style.Tobias Geerinckx-Rice * gnu/packages/scanner.scm (xsane) [source]: Don't needlessly return #t. [arguments]: Likewise. Use G-expressions. [inputs]: Remove input labels. Change-Id: Icafb32f7996a89c0a1ccb3a376637ff8110ac05c 2024-06-24gnu: sane-backends: Update to 1.3.1.Andy Tai * gnu/packages/scanner.scm (sane-backends-minimal): Update to 1.3.1. Change-Id: I63a4e744b16b8bbfa18939bd7fbb0ee58a460181 Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com> 2024-02-16gnu: sane-backends-minimal: Update to 1.2.1.John Fremlin * gnu/packages/scanner.scm (sane-backends-minimal): Update to 1.2.1. Change-Id: I16e3474616ee427f657c13150662f3e1a6e1bd24 Signed-off-by: Clément Lassieur <clement@lassieur.org>