git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
http-parser
1
0
Fork 0
Files
Tree: 6857b95dcf
Branches Tags
http-parser
/
debian
/
patches
/
CVE-2020-8287.patch

CVE-2020-8287.patch 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
    2. 

  2. Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530
    3. 

  3. From: Fedor Indutny <fedor@indutny.com>
    4. 

  4. Date: Wed, 18 Nov 2020 20:50:21 -0800
    5. 

  5. Date: 2022-08-05
    6. 

  6. 

  7. Duplicate `Transfer-Encoding` header should be a treated as a single,
    8. 

  8. but with original header values concatenated with a comma separator. In
    9. 

  9. the light of this, even if the past `Transfer-Encoding` ended with
    10. 

  10. `chunked`, we should be not let the `F_CHUNKED` to leak into the next
    11. 

  11. header, because mere presence of another header indicates that `chunked`
    12. 

  12. is not the last transfer-encoding token.
    13. 

  13. 

  14. CVE-ID: CVE-2020-8287
    15. 

  15. PR-URL: https://github.com/nodejs-private/node-private/pull/235
    16. 

  16. Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    17. 

  17. --- a/http_parser.c
    18. 

  18. +++ b/http_parser.c
    19. 

  19. @@ -1344,6 +1344,13 @@
    20. 

  20.                } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
    21. 

  21.                  parser->header_state = h_transfer_encoding;
    22. 

  22.                  parser->uses_transfer_encoding = 1;
    23. 

  23. +
    24. 

  24. +                /* Multiple `Transfer-Encoding` headers should be treated as
    25. 

  25. +                 * one, but with values separate by a comma.
    26. 

  26. +                 *
    27. 

  27. +                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
    28. 

  28. +                 */
    29. 

  29. +                parser->flags &= ~F_CHUNKED;
    30. 

  30.                }
    31. 

  31.                break;
    32. 

  32.  
    33. 

  33. --- a/test.c
    34. 

  34. +++ b/test.c
    35. 

  35. @@ -2154,6 +2154,32 @@
    36. 

  36.    ,.body= "2\r\nOK\r\n0\r\n\r\n"
    37. 

  37.    ,.num_chunks_complete= 0
    38. 

  38.    }
    39. 

  39. +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
    40. 

  40. +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
    41. 

  41. +  ,.type= HTTP_RESPONSE
    42. 

  42. +  ,.raw= "HTTP/1.1 200 OK\r\n"
    43. 

  43. +         "Transfer-Encoding: chunked\r\n"
    44. 

  44. +         "Transfer-Encoding: identity\r\n"
    45. 

  45. +         "\r\n"
    46. 

  46. +         "2\r\n"
    47. 

  47. +         "OK\r\n"
    48. 

  48. +         "0\r\n"
    49. 

  49. +         "\r\n"
    50. 

  50. +  ,.should_keep_alive= FALSE
    51. 

  51. +  ,.message_complete_on_eof= TRUE
    52. 

  52. +  ,.http_major= 1
    53. 

  53. +  ,.http_minor= 1
    54. 

  54. +  ,.status_code= 200
    55. 

  55. +  ,.response_status= "OK"
    56. 

  56. +  ,.content_length= -1
    57. 

  57. +  ,.num_headers= 2
    58. 

  58. +  ,.headers=
    59. 

  59. +    { { "Transfer-Encoding", "chunked" }
    60. 

  60. +    , { "Transfer-Encoding", "identity" }
    61. 

  61. +    }
    62. 

  62. +  ,.body= "2\r\nOK\r\n0\r\n\r\n"
    63. 

  63. +  ,.num_chunks_complete= 0
    64. 

  64. +  }
    65. 

  65.  };
    66. 

  66.  
    67. 

  67.  /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
    68.