This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 99f35be134da54574bd1f58bbd9cdbb8df95bf5d Author: Katsutoshi Ikenoya <[email protected]> AuthorDate: Wed Apr 16 00:29:35 2025 +0900 Make chunk size parsing more strict (#12187) Co-authored-by: Masakazu Kitajo <[email protected]> (cherry picked from commit 9ce3e49f3654e744aac6f7022c27f437dc255c53) --- src/proxy/http/HttpTunnel.cc | 7 ++-- .../replays/malformed_chunked_header.replay.yaml | 46 ++++++++++++++++++++++ 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/src/proxy/http/HttpTunnel.cc b/src/proxy/http/HttpTunnel.cc index 6896ea1731..1a37024161 100644 --- a/src/proxy/http/HttpTunnel.cc +++ b/src/proxy/http/HttpTunnel.cc @@ -183,9 +183,10 @@ ChunkedHandler::read_size() } } else { // We are done parsing size - if ((num_digits == 0 || running_sum < 0) || /* Bogus chunk size */ - (!ParseRules::is_wslfcr(*tmp) && *tmp != ';') /* Unexpected character */ - ) { + const auto is_bogus_chunk_size = (num_digits == 0 || running_sum < 0); + const auto is_rfc_compliant_char = (ParseRules::is_ws(*tmp) || ParseRules::is_cr(*tmp) || *tmp == ';'); + const auto is_acceptable_lf = (ParseRules::is_lf(*tmp) && !strict_chunk_parsing); + if (is_bogus_chunk_size || (!is_rfc_compliant_char && !is_acceptable_lf)) { state = CHUNK_READ_ERROR; done = true; break; diff --git a/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml b/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml index c64eb8e385..6e058a3d81 100644 --- a/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml +++ b/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml @@ -236,3 +236,49 @@ sessions: encoding: uri # Chunk header must end with a sequence of CRLF. data: 3;x%0Adef%0D%0A0%0D%0A%0D%0A + +- transactions: + - client-request: + method: "GET" + version: "1.1" + url: /response/malformed/chunk/size2 + headers: + fields: + - [ Host, example.com ] + - [ uuid, 106 ] + + # The connection will be dropped and this response will not go out. + server-response: + status: 200 + reason: OK + headers: + fields: + - [ Transfer-Encoding, chunked ] + content: + transfer: plain + encoding: uri + # Chunk header must end with a sequence of CRLF. + data: 3%0Ddef%0D%0A0%0D%0A%0D%0A + +- transactions: + - client-request: + method: "GET" + version: "1.1" + url: /response/malformed/chunk/size2 + headers: + fields: + - [ Host, example.com ] + - [ uuid, 107 ] + + # The connection will be dropped and this response will not go out. + server-response: + status: 200 + reason: OK + headers: + fields: + - [ Transfer-Encoding, chunked ] + content: + transfer: plain + encoding: uri + # Chunk header must end with a sequence of CRLF. + data: 3%0Adef%0D%0A0%0D%0A%0D%0A
