From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 9 Jul 2024 06:15:14 +0000 (+0200)
Subject: BUG/MINOR: h1: Fail to parse empty transfer coding names
X-Git-Tag: v3.1-dev3~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8b01027603ae53fdebc7c63c4dacf0908eaef82;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h1: Fail to parse empty transfer coding names

Empty transfer coding names, inside a comma-separated list, are already
rejected. But it is only by chance. Today, it is detected as an unknown
coding names (not "chunked" concretly). Then, it is handled by the H1
multiplexer as an error and a 422-Unprocessable-Content response is
returned.

So, the error is properly detected in this case, but it is not accurate. A
400-bad-request response must be returned instead. Then, it is better to
catch the error during the header parsing. It is the purpose of this patch.

This patch should be backported as far as 2.6.
---

diff --git a/src/h1.c b/src/h1.c
index bbaa2f67ce..ff3f5ae9aa 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -147,7 +147,12 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
 			word.len--;
 
 		h1m->flags &= ~H1_MF_CHNK;
-		if (isteqi(word, ist("chunked"))) {
+
+		/* empty values are forbidden */
+		if (!word.len)
+			goto fail;
+
+		else if (isteqi(word, ist("chunked"))) {
 			if (h1m->flags & H1_MF_TE_CHUNKED) {
 				/* cf RFC7230#3.3.1 : A sender MUST NOT apply
 				 * chunked more than once to a message body