From 8f93123efef5c1361086688fe4f34c83c89cec02 Mon Sep 17 00:00:00 2001 From: Sean McArthur Date: Fri, 5 Feb 2021 13:27:30 -0800 Subject: [PATCH] fix(http1): fix server misinterpretting multiple Transfer-Encoding headers When a request arrived with multiple `Transfer-Encoding` headers, hyper would check each if they ended with `chunked`. It should have only checked if the *last* header ended with `chunked`. See https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf --- src/proto/h1/role.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/proto/h1/role.rs b/src/proto/h1/role.rs index 0c7eb1eecd..a9f2f0074f 100644 --- a/src/proto/h1/role.rs +++ b/src/proto/h1/role.rs @@ -213,6 +213,8 @@ impl Http1Transaction for Server { if headers::is_chunked_(&value) { is_te_chunked = true; decoder = DecodedLength::CHUNKED; + } else { + is_te_chunked = false; } } header::CONTENT_LENGTH => { @@ -1444,6 +1446,16 @@ mod tests { "transfer-encoding doesn't end in chunked", ); + parse_err( + "\ + POST / HTTP/1.1\r\n\ + transfer-encoding: chunked\r\n\ + transfer-encoding: afterlol\r\n\ + \r\n\ + ", + "transfer-encoding multiple lines doesn't end in chunked", + ); + // http/1.0 assert_eq!(