From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 9 Jul 2024 06:57:53 +0000 (+0200)
Subject: BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
X-Git-Tag: v3.1-dev3~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=428451fe96d9ad9ba8ef0f0669e145a37d97304d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value

The following Transfer-Encoding header is now rejected with a
400-bad-request:

  Transfer-Encoding: chunked,\r\n

This case was not properly handled and the last empty value was just
ignored.

This patch must be backported as far as 2.6.
---

diff --git a/src/h1.c b/src/h1.c
index ff3f5ae9aa..c373676453 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -140,6 +140,10 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
 			continue;
 
 		n = http_find_hdr_value_end(word.ptr, e); // next comma or end of line
+
+		/* a comma at the end means the last value is empty */
+		if (n+1 == e)
+			goto fail;
 		word.len = n - word.ptr;
 
 		/* trim trailing blanks */