client: perform strict chunk size parsing #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jow-
force-pushed
the
fix-chunk-size-parsing
branch
from
cf071f4 to
3b723c4
Compare
|
Consider the case in which the chunk size is just |
|
Also, chunk-extensions do have a grammar that it may be worth considering enforcing. |
Since we're not consuming any body data when serving file requests, forcibly shut down keep-alive connections after requests indicating either a content-length or a chunked transfer encoding in order to avoid interpreting request body data as subsequent HTTP request. Signed-off-by: Jo-Philipp Wich <[email protected]>
Commit 15346de ("client: Always close connection with request body in case of error") added logic to close keep alive connections on HTTP errors due to unconsumed request body data. However, since the check happens after emitting the standard HTTP headers, uhttpd might incorrectly reply with a `Connection: keep-alive` even if it is going to close the connection. Move the check before the emitting of the response headers in order to ensure that we're sending the correct `Connection: close` line. Fixes: 15346de ("client: Always close connection with request body in case of error") Signed-off-by: Jo-Philipp Wich <[email protected]>
The function `uh_header_error()` will tear down the connection after sending the HTTP reply message, so update the `connection_close` flag accordingly to avoid incorrectly emitting a `Connection: keep-alive` header. Signed-off-by: Jo-Philipp Wich <[email protected]>
jow-
force-pushed
the
fix-chunk-size-parsing
branch
from
3b723c4 to
3c0fcf1
Compare
Introduce infrastructure and logic to perform less lenient parsing of HTTP request headers, chunk size headers and content-length values. We can not rely on `strtoul()` to parse hexadecimal chunk sizes or content length values as it accepts a wider range of inputs than what is allowed by the HTTP spec. Decode the chunk sizes and length values manually and fix skipping chunk extension headers while we're at it. Also ensure that there's no trailing garbage after the size and that we bail out on overflows. Also rework the parsing of request header lines, to reject malformed header lines or illegal header names. Fixes: openwrt#3 Fixes: openwrt#5 Signed-off-by: Jo-Philipp Wich <[email protected]>
jow-
force-pushed
the
fix-chunk-size-parsing
branch
from
3c0fcf1 to
3c8b991
Compare
|
This line in This can also be problematic if the proxy allows trailing data after the chunk contents (for example, see this bug in pound). Might be worth incorporating into this change. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce infrastructure and logic to perform less lenient parsing of HTTP request headers, chunk size headers and content-length values.
We can not rely on
strtoul()to parse hexadecimal chunk sizes or content length values as it accepts a wider range of inputs than what is allowed by the HTTP spec.Decode the chunk sizes and length values manually and fix skipping chunk extension headers while we're at it. Also ensure that there's no trailing garbage after the size and that we bail out on overflows.
Also rework the parsing of request header lines, to reject malformed header lines or illegal header names.
Fixes: #3
Fixes: #5
The function
uh_header_error()will tear down the connection after sending the HTTP reply message, so update theconnection_closeflag accordingly to avoid incorrectly emitting aConnection: keep-aliveheader.Commit 15346de ("client: Always close connection with request body in case of error") added logic to close keep alive connections on HTTP errors due to unconsumed request body data.
However, since the check happens after emitting the standard HTTP headers, uhttpd might incorrectly reply with a
Connection: keep-aliveeven if it is going to close the connection.Move the check before the emitting of the response headers in order to ensure that we're sending the correct
Connection: closeline.Fixes: 15346de ("client: Always close connection with request body in case of error")
Since we're not consuming any body data when serving file requests, forcibly shut down keep-alive connections after requests indicating either a content-length or a chunked transfer encoding in order to avoid interpreting request body data as subsequent HTTP request.