From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 9 Jul 2024 05:55:58 +0000 (+0200)
Subject: BUG/MEDIUM: h1: Reject empty Transfer-encoding header
X-Git-Tag: v3.1-dev3~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a2dd6f3777959187565edd79475091e155e2161;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h1: Reject empty Transfer-encoding header

The Transfer-Encoding headers list the transfer coding that have been
applied to the content in order to form the message body. It is a list of
tokens. And as specified by RFC 9110, a token cannot be empty. When several
coding names are specify as a comma-separated value, this case is properly
handled and an error is triggered. However, an empty header value will just
be skipped and no error is triggered. This could be an issue with some buggy
servers.

Now, empty Transfer-Encoding header are rejected too.

This patch must be backported as far as 2.6.
---

diff --git a/src/h1.c b/src/h1.c
index c373676453..ca001e8e5f 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -129,6 +129,10 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
 	char *e, *n;
 	struct ist word;
 
+	/* Reject empty header */
+	if (istptr(value) == istend(value))
+	    goto fail;
+
 	h1m->flags |= H1_MF_XFER_ENC;
 
 	word.ptr = value.ptr - 1; // -1 for next loop's pre-increment