fix(http1): fix server misinterpretting multiple Transfer-Encoding headers

amousset · seanmonstar · commit f60512506756 · 2021-02-17T11:06:41.000-08:00
When a request arrived with multiple `Transfer-Encoding` headers, hyper would check each if they ended with `chunked`. It should have only checked if the *last* header ended with `chunked`. See GHSA-6hfq-h8hq-87mf
diff --git a/src/proto/h1/role.rs b/src/proto/h1/role.rs
@@ -170,6 +170,8 @@ impl Http1Transaction for Server {
                     if headers::is_chunked_(&value) {
                         is_te_chunked = true;
                         decoder = DecodedLength::CHUNKED;
+                    } else {
+                        is_te_chunked = false;
                     }
                 },
                 header::CONTENT_LENGTH => {
@@ -1226,6 +1228,15 @@ mod tests {
             \r\n\
         ", "transfer-encoding doesn't end in chunked");
 
+        parse_err(
+            "\
+             POST / HTTP/1.1\r\n\
+             transfer-encoding: chunked\r\n\
+             transfer-encoding: afterlol\r\n\
+             \r\n\
+             ",
+            "transfer-encoding multiple lines doesn't end in chunked",
+        );
 
         // http/1.0
 
