From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Wed, 18 Nov 2020 20:50:21 -0800
Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`

Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.

CVE-ID: CVE-2020-8287
PR-URL: https://github.com/nodejs-private/node-private/pull/235
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
---
 http_parser.c |  7 +++++++
 test.c        | 26 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/http_parser.c b/http_parser.c
index 9be003e7322..e9b2b9e83b9 100644
--- a/http_parser.c
+++ b/http_parser.c
@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser,
               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
                 parser->header_state = h_transfer_encoding;
                 parser->uses_transfer_encoding = 1;
+
+                /* Multiple `Transfer-Encoding` headers should be treated as
+                 * one, but with values separate by a comma.
+                 *
+                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
+                 */
+                parser->flags &= ~F_CHUNKED;
               }
               break;
 
diff --git a/test.c b/test.c
index 3f7c77b3494..2e5a9ebd678 100644
--- a/test.c
+++ b/test.c
@@ -2154,6 +2154,32 @@ const struct message responses[] =
   ,.body= "2\r\nOK\r\n0\r\n\r\n"
   ,.num_chunks_complete= 0
   }
+#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
+, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
+  ,.type= HTTP_RESPONSE
+  ,.raw= "HTTP/1.1 200 OK\r\n"
+         "Transfer-Encoding: chunked\r\n"
+         "Transfer-Encoding: identity\r\n"
+         "\r\n"
+         "2\r\n"
+         "OK\r\n"
+         "0\r\n"
+         "\r\n"
+  ,.should_keep_alive= FALSE
+  ,.message_complete_on_eof= TRUE
+  ,.http_major= 1
+  ,.http_minor= 1
+  ,.status_code= 200
+  ,.response_status= "OK"
+  ,.content_length= -1
+  ,.num_headers= 2
+  ,.headers=
+    { { "Transfer-Encoding", "chunked" }
+    , { "Transfer-Encoding", "identity" }
+    }
+  ,.body= "2\r\nOK\r\n0\r\n\r\n"
+  ,.num_chunks_complete= 0
+  }
 };
 
 /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
'>Author</th></tr>
<tr><td><span title='2023-09-09 15:54:37 +0200'>2023-09-09</span></td><td><a href='/guix/commit/gnu/services/cgit.scm?id=4cf4bd1ebe1c4b206ffd686058acd69261672536'>services: cgit: Allow file-like objects for ‘root-readme’.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/services/cgit.scm (cgit-configuration)[root-readme]: Accept
'file-object' instead of only 'string'

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Thomas Albers</td></tr>
<tr><td><span title='2023-07-02 02:00:09 +0200'>2023-07-02</span></td><td><a href='/guix/commit/gnu/services/cgit.scm?id=820e32b556aa978827249ae4687c7423508c04b3'>services: cgit: Remove ‘cgit-repo’ left-overs.</a><span class='msg-avail'>...<span class='msg-tooltip'>This follows up on commit 16d77b31c5024e9288dfd2f25f8eb6d0114a342c.

* gnu/services/cgit.scm (cgit-configuration): Use extant
repository-cgit-configuration variable name.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2022-06-15 00:25:21 +0200'>2022-06-15</span></td><td><a href='/guix/commit/gnu/services/cgit.scm?id=8cb1a49a3998c39f315a4199b7d4a121a6d66449'>services: configuration: Use *unspecified* instead of 'disabled.</a><span class='msg-avail'>...<span class='msg-tooltip'>Use *unspecified* as a marker for field values that have not been set.

Rationale: 'disabled may easily clash with user values for boolean fields, is
confusing (i.e. its meaning is *not* boolean false, but unspecified) and it
also passes silently through the symbol? predicate of a field of type symbol.

* gnu/services/configuration.scm (configuration-missing-default-value):
Renamed from configuration-no-default-value.
(define-maybe-helper): Use *unspecified* instead of 'disabled, and make
the default value optional.
* gnu/home/services/desktop.scm (home-redshift-configuration):
Change (maybe-xyz 'disabled) to maybe-xyz.
* gnu/services/authentication.scm (nslcd-configuration): Likewise.
* gnu/services/cgit.scm (repository-cgit-configuration): Likewise.
* gnu/services/file-sharing.scm (serialize-maybe-string)
(serialize-maybe-file-object): Use 'unspecified?' instead of (eq? val
'disabled).
* gnu/services/messaging.scm (raw-content?): Likewise.
(ssl-configuration): Change (maybe-xyz 'disabled) to maybe-xyz.
(prosody-configuration): Likewise.
* gnu/services/file-sharing.scm (transmission-daemon-configuration):
Likewise.
* gnu/services/messaging.scm (define-all-configurations):
Use *unspecified* instead of 'disabled'.
* gnu/services/networking.scm (opendht-configuration): Likewise.
* gnu/services/pm.scm (tlp-configuration): Likewise.
* gnu/services/telephony.scm (jami-account): Likewise.
(jami-configuration): Likewise.
* gnu/services/vpn.scm (openvpn-client-configuration): Likewise.
* tests/services/configuration.scm ("maybe type, no default")
("maybe type, with default"): New tests.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Attila Lendvai</td></tr>
<tr><td><span title='2021-11-30 01:08:55 +0100'>2021-11-30</span></td><td><a href='/guix/commit/gnu/services/cgit.scm?id=892f1b7273d57b25940700877a02618fe826cc08'>services: Accept &lt;inferior-package&gt;s in lieu of &lt;package&gt;s.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/services/authentication.scm (fprintd-configuration)
(nslcd-configuration): Substitute file-like objects for package ones.
* gnu/services/cgit.scm (cgit-configuration, opaque-cgit-configuration):
Likewise.
* gnu/services/cups.scm (package-list?, cups-configuration): Likewise.
* gnu/services/dns.scm (verify-knot-configuration)
(ddclient-configuration): Likewise.
* gnu/services/docker.scm (docker-configuration): Likewise.
* gnu/services/file-sharing.scm (transmission-daemon-configuration): Likewise.
* gnu/services/getmail.scm (getmail-configuration): Likewise.
* gnu/services/mail.scm (dovecot-configuration)
(opaque-dovecot-configuration): Likewise.
* gnu/services/messaging.scm (prosody-configuration)
(opaque-prosody-configuration): Likewise.
* gnu/services/monitoring.scm (zabbix-server-configuration)
(zabbix-agent-configuration): Likewise.
* gnu/services/networking.scm (opendht-configuration): Likewise.
* gnu/services/pm.scm (tlp-configuration): Likewise.
* gnu/services/telephony.scm (jami-configuration): Likewise.
* gnu/services/virtualization.scm (libvirt-configuration)
(qemu-guest-agent-configuration): Likewise.
* gnu/services/vpn.scm (openvpn-client-configuration): Likewise.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>