(trafficserver) branch master updated: Make chunk size parsing more strict (#12187)

Tue, 15 Apr 2025 09:09:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 9ce3e49f36 Make chunk size parsing more strict (#12187)
9ce3e49f36 is described below

commit 9ce3e49f3654e744aac6f7022c27f437dc255c53
Author: Katsutoshi Ikenoya <[email protected]>
AuthorDate: Wed Apr 16 00:29:35 2025 +0900

    Make chunk size parsing more strict (#12187)
    
    Co-authored-by: Masakazu Kitajo <[email protected]>
---
 src/proxy/http/HttpTunnel.cc                       |  7 ++--
 .../replays/malformed_chunked_header.replay.yaml   | 46 ++++++++++++++++++++++
 2 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/src/proxy/http/HttpTunnel.cc b/src/proxy/http/HttpTunnel.cc
index 6896ea1731..1a37024161 100644
--- a/src/proxy/http/HttpTunnel.cc
+++ b/src/proxy/http/HttpTunnel.cc
@@ -183,9 +183,10 @@ ChunkedHandler::read_size()
           }
         } else {
           // We are done parsing size
-          if ((num_digits == 0 || running_sum < 0) ||       /* Bogus chunk 
size */
-              (!ParseRules::is_wslfcr(*tmp) && *tmp != ';') /* Unexpected 
character */
-          ) {
+          const auto is_bogus_chunk_size   = (num_digits == 0 || running_sum < 
0);
+          const auto is_rfc_compliant_char = (ParseRules::is_ws(*tmp) || 
ParseRules::is_cr(*tmp) || *tmp == ';');
+          const auto is_acceptable_lf      = (ParseRules::is_lf(*tmp) && 
!strict_chunk_parsing);
+          if (is_bogus_chunk_size || (!is_rfc_compliant_char && 
!is_acceptable_lf)) {
             state = CHUNK_READ_ERROR;
             done  = true;
             break;
diff --git 
a/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
 
b/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
index c64eb8e385..6e058a3d81 100644
--- 
a/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
+++ 
b/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml
@@ -236,3 +236,49 @@ sessions:
         encoding: uri
         # Chunk header must end with a sequence of CRLF.
         data: 3;x%0Adef%0D%0A0%0D%0A%0D%0A
+
+- transactions:
+  - client-request:
+      method: "GET"
+      version: "1.1"
+      url: /response/malformed/chunk/size2
+      headers:
+        fields:
+        - [ Host, example.com ]
+        - [ uuid, 106 ]
+
+    # The connection will be dropped and this response will not go out.
+    server-response:
+      status: 200
+      reason: OK
+      headers:
+        fields:
+        - [ Transfer-Encoding, chunked ]
+      content:
+        transfer: plain
+        encoding: uri
+        # Chunk header must end with a sequence of CRLF.
+        data: 3%0Ddef%0D%0A0%0D%0A%0D%0A
+
+- transactions:
+  - client-request:
+      method: "GET"
+      version: "1.1"
+      url: /response/malformed/chunk/size2
+      headers:
+        fields:
+        - [ Host, example.com ]
+        - [ uuid, 107 ]
+
+    # The connection will be dropped and this response will not go out.
+    server-response:
+      status: 200
+      reason: OK
+      headers:
+        fields:
+        - [ Transfer-Encoding, chunked ]
+      content:
+        transfer: plain
+        encoding: uri
+        # Chunk header must end with a sequence of CRLF.
+        data: 3%0Adef%0D%0A0%0D%0A%0D%0A

Reply via email to