fix(http1): fix server misinterpretting multiple Transfer-Encoding headers

When a request arrived with multiple `Transfer-Encoding` headers, hyper would check each if they ended with `chunked`. It should have only checked if the *last* header ended with `chunked`. See https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
2021-02-05 13:27:30 -08:00
parent 4d2125c67c
commit 8f93123efe
1 changed files with 12 additions and 0 deletions
--- a/src/proto/h1/role.rs
+++ b/src/proto/h1/role.rs
@@ -213,6 +213,8 @@ impl Http1Transaction for Server {
                    if headers::is_chunked_(&value) {
                        is_te_chunked = true;
                        decoder = DecodedLength::CHUNKED;
+                    } else {
+                        is_te_chunked = false;
                    }
                }
                header::CONTENT_LENGTH => {
@@ -1444,6 +1446,16 @@ mod tests {
            "transfer-encoding doesn't end in chunked",
        );

+        parse_err(
+            "\
+             POST / HTTP/1.1\r\n\
+             transfer-encoding: chunked\r\n\
+             transfer-encoding: afterlol\r\n\
+             \r\n\
+             ",
+            "transfer-encoding multiple lines doesn't end in chunked",
+        );
+
        // http/1.0

        assert_eq!(