From: Eric Wong Date: Wed, 2 Apr 2025 19:00:14 +0000 (+0000) Subject: http: fix and test Trailer: rejection X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae3c81bb9c6eb5aebd0d9d2c25e89c31b405775f;p=thirdparty%2Fpublic-inbox.git http: fix and test Trailer: rejection We need to check for the existence of Trailers after successful parsing. I actually intend to support HTTP trailers, and I noticed this while working on adding support for them. --- diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm index 416fc4531..69cba8a63 100644 --- a/lib/PublicInbox/HTTP.pm +++ b/lib/PublicInbox/HTTP.pm @@ -91,17 +91,15 @@ sub event_step { # called by PublicInbox::DS my %env = %{$self->{srv_env}}; # full hash copy my $r; while (($r = parse_http_request($$rbuf, \%env)) < 0) { - # We do not support Trailers in chunked requests, for - # now (they are rarely-used and git (as of 2.7.2) does - # not use them). # this length-check is necessary for PURE_PERL=1: - if ($r == -1 || $env{HTTP_TRAILER} || - ($r == -2 && length($$rbuf) > 0x4000)) { + ($r == -1 || ($r == -2 && length($$rbuf) > 0x4000)) and return quit($self, 400); - } $self->do_read($rbuf, 8192, length($$rbuf)) or return; } - return quit($self, 400) if grep(/\s/, keys %env); # stop smugglers + # We do not support Trailers in chunked requests, for now. + # They're rarely-used and git (as of 2.7.2) does not use them. + return quit($self, 400) if exists($env{HTTP_TRAILER}) || + grep(/\s/, keys %env); # stop smugglers $$rbuf = substr($$rbuf, $r); my $len = input_prepare($self, \%env) // return write_err($self, undef); # EMFILE/ENFILE diff --git a/t/httpd-corner.t b/t/httpd-corner.t index a29e0657f..c57bc39fa 100644 --- a/t/httpd-corner.t +++ b/t/httpd-corner.t @@ -135,6 +135,14 @@ if ('test worker death') { sysread $conn, my $buf, 4096; like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on bad request'); } +{ + my $conn = $mkreq->($sock, 'Trailer rejected (for now)', <($sock, 'streaming callback', "GET /callback HTTP/1.0\r\n\r\n");