BUG/MEDIUM: h1: Reject empty Transfer-encoding header

The Transfer-Encoding headers list the transfer coding that have been
applied to the content in order to form the message body. It is a list of
tokens. And as specified by RFC 9110, a token cannot be empty. When several
coding names are specify as a comma-separated value, this case is properly
handled and an error is triggered. However, an empty header value will just
be skipped and no error is triggered. This could be an issue with some buggy
servers.

Now, empty Transfer-Encoding header are rejected too.

This patch must be backported as far as 2.6.

diff --git a/src/h1.c b/src/h1.c
index c373676453902a62174022efb403513468a36aae..ca001e8e5ff2b2c2fa04f83537ad2d8c57c2ff56 100644 (file)
--- a/src/h1.c
+++ b/src/h1.c
@@ -129,6 +129,10 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
        char *e, *n;
        struct ist word;
 
+       /* Reject empty header */
+       if (istptr(value) == istend(value))
+           goto fail;
+
        h1m->flags |= H1_MF_XFER_ENC;
 
        word.ptr = value.ptr - 1; // -1 for next loop's pre-increment