CVE-2020-8287.patch 2.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
  1. Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
  2. Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530
  3. From: Fedor Indutny <fedor@indutny.com>
  4. Date: Wed, 18 Nov 2020 20:50:21 -0800
  5. Date: 2022-08-05
  6. Duplicate `Transfer-Encoding` header should be a treated as a single,
  7. but with original header values concatenated with a comma separator. In
  8. the light of this, even if the past `Transfer-Encoding` ended with
  9. `chunked`, we should be not let the `F_CHUNKED` to leak into the next
  10. header, because mere presence of another header indicates that `chunked`
  11. is not the last transfer-encoding token.
  12. CVE-ID: CVE-2020-8287
  13. PR-URL: https://github.com/nodejs-private/node-private/pull/235
  14. Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
  15. --- a/http_parser.c
  16. +++ b/http_parser.c
  17. @@ -1344,6 +1344,13 @@
  18. } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
  19. parser->header_state = h_transfer_encoding;
  20. parser->uses_transfer_encoding = 1;
  21. +
  22. + /* Multiple `Transfer-Encoding` headers should be treated as
  23. + * one, but with values separate by a comma.
  24. + *
  25. + * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
  26. + */
  27. + parser->flags &= ~F_CHUNKED;
  28. }
  29. break;
  30. --- a/test.c
  31. +++ b/test.c
  32. @@ -2154,6 +2154,32 @@
  33. ,.body= "2\r\nOK\r\n0\r\n\r\n"
  34. ,.num_chunks_complete= 0
  35. }
  36. +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
  37. +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
  38. + ,.type= HTTP_RESPONSE
  39. + ,.raw= "HTTP/1.1 200 OK\r\n"
  40. + "Transfer-Encoding: chunked\r\n"
  41. + "Transfer-Encoding: identity\r\n"
  42. + "\r\n"
  43. + "2\r\n"
  44. + "OK\r\n"
  45. + "0\r\n"
  46. + "\r\n"
  47. + ,.should_keep_alive= FALSE
  48. + ,.message_complete_on_eof= TRUE
  49. + ,.http_major= 1
  50. + ,.http_minor= 1
  51. + ,.status_code= 200
  52. + ,.response_status= "OK"
  53. + ,.content_length= -1
  54. + ,.num_headers= 2
  55. + ,.headers=
  56. + { { "Transfer-Encoding", "chunked" }
  57. + , { "Transfer-Encoding", "identity" }
  58. + }
  59. + ,.body= "2\r\nOK\r\n0\r\n\r\n"
  60. + ,.num_chunks_complete= 0
  61. + }
  62. };
  63. /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so