From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Wed, 18 Nov 2020 20:50:21 -0800 Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` Duplicate `Transfer-Encoding` header should be a treated as a single, but with original header values concatenated with a comma separator. In the light of this, even if the past `Transfer-Encoding` ended with `chunked`, we should be not let the `F_CHUNKED` to leak into the next header, because mere presence of another header indicates that `chunked` is not the last transfer-encoding token. CVE-ID: CVE-2020-8287 PR-URL: https://github.com/nodejs-private/node-private/pull/235 Reviewed-By: Fedor Indutny --- http_parser.c | 7 +++++++ test.c | 26 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/http_parser.c b/http_parser.c index 9be003e7322..e9b2b9e83b9 100644 --- a/http_parser.c +++ b/http_parser.c @@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { parser->header_state = h_transfer_encoding; parser->uses_transfer_encoding = 1; + + /* Multiple `Transfer-Encoding` headers should be treated as + * one, but with values separate by a comma. + * + * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 + */ + parser->flags &= ~F_CHUNKED; } break; diff --git a/test.c b/test.c index 3f7c77b3494..2e5a9ebd678 100644 --- a/test.c +++ b/test.c @@ -2154,6 +2154,32 @@ const struct message responses[] = ,.body= "2\r\nOK\r\n0\r\n\r\n" ,.num_chunks_complete= 0 } +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" + ,.type= HTTP_RESPONSE + ,.raw= "HTTP/1.1 200 OK\r\n" + "Transfer-Encoding: chunked\r\n" + "Transfer-Encoding: identity\r\n" + "\r\n" + "2\r\n" + "OK\r\n" + "0\r\n" + "\r\n" + ,.should_keep_alive= FALSE + ,.message_complete_on_eof= TRUE + ,.http_major= 1 + ,.http_minor= 1 + ,.status_code= 200 + ,.response_status= "OK" + ,.content_length= -1 + ,.num_headers= 2 + ,.headers= + { { "Transfer-Encoding", "chunked" } + , { "Transfer-Encoding", "identity" } + } + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } }; /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so 0-10-20 22:39:43 +0100'>2020-10-20services: databases: Don't specify a default postgresql version....Currently, if the postgresql package major version changes, this is going to break the service upon upgrade, because PostgreSQL will reject the data files from the differing major version of the service. Because it's important to either keep running a particular major version, or intentionally upgrade, I think the configuration would be better with no default. I think this is also going to be helpful when trying to assist users upgrading PostgreSQL. * gnu/services/databases.scm (<postgresql-configuration>): Remove default for postgresql. (postgresql-service-type): Remove the default value. * gnu/tests/databases.scm (%postgresql-os): Update accordingly. * gnu/tests/guix.scm (%guix-data-service-os): Update accordingly. * gnu/tests/monitoring.scm (%zabbix-os): Update accordingly. * gnu/tests/web.scm (patchwork-os): Update accordingly. * doc/guix.texi (PostgreSQL): Update accordingly. Christopher Baines 2020-07-13gnu: tests: Fix unbound variable....Record type descriptors were made private in a143e92446859bd1edc7a7aea85b2089c82c77da, but a usage of them was forgotten in the tests files. * gnu/tests/web.scm (patchwork-initial-database-setup-service): Use accessors to access field values instead of unexported type descriptor. Julien Lepiller 2020-04-21tests: web: Explicitly wait for the HTTP port....* gnu/tests/web.scm (run-webserver-test)["HTTP port ready"]: New test. Ludovic Courtès