http: disable chunked encoding when OBS fold is used

Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com> PR-URL: #341 CVE-ID: CVE-2022-32213, CVE-2022-32215, CVE-2022-35256
2025-12-28 07:50:41 +00:00 · 2022-09-19 14:37:21 +02:00 · 2022-09-19 14:37:21 +02:00 · 2e92e5b71d
commit 2e92e5b71d
parent 5cc36c39d2
6 changed files with 379 additions and 287 deletions
--- a/deps/llhttp/CMakeLists.txt
+++ b/deps/llhttp/CMakeLists.txt
@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)

-project(llhttp VERSION 6.0.9)
+project(llhttp VERSION 6.0.10)
 include(GNUInstallDirs)

 set(CMAKE_C_STANDARD 99)
--- a/deps/llhttp/include/llhttp.h
+++ b/deps/llhttp/include/llhttp.h
@ -3,7 +3,7 @@

 #define LLHTTP_VERSION_MAJOR 6
 #define LLHTTP_VERSION_MINOR 0
-#define LLHTTP_VERSION_PATCH 9
+#define LLHTTP_VERSION_PATCH 10

 #ifndef LLHTTP_STRICT_MODE
 # define LLHTTP_STRICT_MODE 0
--- a/deps/llhttp/src/llhttp.c
+++ b/deps/llhttp/src/llhttp.c
--- a/test/parallel/test-http-header-overflow.js
+++ b/test/parallel/test-http-header-overflow.js
@ -6,13 +6,11 @@ const assert = require('assert');
 const { createServer, maxHeaderSize } = require('http');
 const { createConnection } = require('net');

-const { getOptionValue } = require('internal/options');
-
 const CRLF = '\r\n';
 const DUMMY_HEADER_NAME = 'Cookie: ';
 const DUMMY_HEADER_VALUE = 'a'.repeat(
  // Plus one is to make it 1 byte too big
-  maxHeaderSize - DUMMY_HEADER_NAME.length - (2 * CRLF.length) + 1
+  maxHeaderSize - DUMMY_HEADER_NAME.length + 2
 );
 const PAYLOAD_GET = 'GET /blah HTTP/1.1';
 const PAYLOAD = PAYLOAD_GET + CRLF +
@ -21,14 +19,11 @@ const PAYLOAD = PAYLOAD_GET + CRLF +
 const server = createServer();

 server.on('connection', mustCall((socket) => {
-  // Legacy parser gives sligthly different response.
-  // This discripancy is not fixed on purpose.
-  const legacy = getOptionValue('--http-parser') === 'legacy';
  socket.on('error', expectsError({
    name: 'Error',
    message: 'Parse Error: Header overflow',
    code: 'HPE_HEADER_OVERFLOW',
-    bytesParsed: maxHeaderSize + PAYLOAD_GET.length - (legacy ? -1 : 0),
+    bytesParsed: maxHeaderSize + PAYLOAD_GET.length + (CRLF.length * 2) + 1,
    rawPacket: Buffer.from(PAYLOAD)
  }));
 }));
--- a/test/parallel/test-http-missing-header-separator-cr.js
+++ b/test/parallel/test-http-missing-header-separator-cr.js
@ -6,21 +6,7 @@ const assert = require('assert');
 const http = require('http');
 const net = require('net');

-const msg = [
-  'GET / HTTP/1.1',
-  'Host: localhost',
-  'Dummy: x\nContent-Length: 23',
-  '',
-  'GET / HTTP/1.1',
-  'Dummy: GET /admin HTTP/1.1',
-  'Host: localhost',
-  '',
-  '',
-].join('\r\n');
-
-const server = http.createServer(common.mustNotCall());
-
-server.listen(0, common.mustSucceed(() => {
+function serverHandler(server, msg) {
  const client = net.connect(server.address().port, 'localhost');

  let response = '';
@ -40,4 +26,58 @@ server.listen(0, common.mustSucceed(() => {
  }));
  client.write(msg);
  client.resume();
-}));
+}
+
+{
+  const msg = [
+    'GET / HTTP/1.1',
+    'Host: localhost',
+    'Dummy: x\nContent-Length: 23',
+    '',
+    'GET / HTTP/1.1',
+    'Dummy: GET /admin HTTP/1.1',
+    'Host: localhost',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: localhost',
+    'x:x\nTransfer-Encoding: chunked',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
+
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: localhost',
+    'x:\nTransfer-Encoding: chunked',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustNotCall());
+
+  server.listen(0, common.mustSucceed(serverHandler.bind(null, server, msg)));
+}
--- a/test/parallel/test-http-transfer-encoding-smuggling.js
+++ b/test/parallel/test-http-transfer-encoding-smuggling.js
@ -6,47 +6,84 @@ const assert = require('assert');
 const http = require('http');
 const net = require('net');

-const msg = [
-  'POST / HTTP/1.1',
-  'Host: 127.0.0.1',
-  'Transfer-Encoding: chunked',
-  'Transfer-Encoding: chunked-false',
-  'Connection: upgrade',
-  '',
-  '1',
-  'A',
-  '0',
-  '',
-  'GET /flag HTTP/1.1',
-  'Host: 127.0.0.1',
-  '',
-  '',
-].join('\r\n');
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: 127.0.0.1',
+    'Transfer-Encoding: chunked',
+    'Transfer-Encoding: chunked-false',
+    'Connection: upgrade',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    'GET /flag HTTP/1.1',
+    'Host: 127.0.0.1',
+    '',
+    '',
+  ].join('\r\n');

-const server = http.createServer(common.mustNotCall((req, res) => {
-  res.end();
-}, 1));
+  const server = http.createServer(common.mustNotCall((req, res) => {
+    res.end();
+  }, 1));

-server.listen(0, common.mustSucceed(() => {
-  const client = net.connect(server.address().port, 'localhost');
+  server.listen(0, common.mustSucceed(() => {
+    const client = net.connect(server.address().port, 'localhost');

-  let response = '';
+    let response = '';

-  // Verify that the server listener is never called
+    // Verify that the server listener is never called

-  client.on('data', common.mustCall((chunk) => {
-    response += chunk;
+    client.on('data', common.mustCall((chunk) => {
+      response += chunk;
+    }));
+
+    client.setEncoding('utf8');
+    client.on('error', common.mustNotCall());
+    client.on('end', common.mustCall(() => {
+      assert.strictEqual(
+        response,
+        'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n'
+      );
+      server.close();
+    }));
+    client.write(msg);
+    client.resume();
  }));
+}

-  client.setEncoding('utf8');
-  client.on('error', common.mustNotCall());
-  client.on('end', common.mustCall(() => {
-    assert.strictEqual(
-      response,
-      'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n'
-    );
-    server.close();
+{
+  const msg = [
+    'POST / HTTP/1.1',
+    'Host: 127.0.0.1',
+    'Transfer-Encoding: chunked',
+    ' , chunked-false',
+    'Connection: upgrade',
+    '',
+    '1',
+    'A',
+    '0',
+    '',
+    'GET /flag HTTP/1.1',
+    'Host: 127.0.0.1',
+    '',
+    '',
+  ].join('\r\n');
+
+  const server = http.createServer(common.mustCall((request, response) => {
+    assert.notStrictEqual(request.url, '/admin');
+    response.end('hello world');
+  }), 1);
+
+  server.listen(0, common.mustSucceed(() => {
+    const client = net.connect(server.address().port, 'localhost');
+
+    client.on('end', common.mustCall(function() {
+      server.close();
+    }));
+
+    client.write(msg);
+    client.resume();
  }));
-  client.write(msg);
-  client.resume();
-}));
+}