Skip to content

Commit

Permalink
Return 400 response for chunked requests with unexpected data after c…
Browse files Browse the repository at this point in the history
…hunk

Fixes #133
  • Loading branch information
jeremyevans committed Jun 21, 2024
1 parent a27d7ed commit 45f2e84
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 1 deletion.
6 changes: 5 additions & 1 deletion lib/webrick/httprequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -566,7 +566,11 @@ def read_chunked(socket, block)
block.call(data)
end while (chunk_size -= sz) > 0

read_line(socket) # skip CRLF
line = read_line(socket) # skip CRLF
unless line == "\r\n"
raise HTTPStatus::BadRequest, "extra data after chunk `#{line}'."
end

chunk_size, = read_chunk_size(socket)
end
read_header(socket) # trailer + CRLF
Expand Down
24 changes: 24 additions & 0 deletions test/webrick/test_httprequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -312,6 +312,30 @@ def test_bad_chunked
end
end

def test_bad_chunked_extra_data
msg = <<-_end_of_message_
POST /path HTTP/1.1\r
Transfer-Encoding: chunked\r
\r
3\r
ABCthis-all-gets-ignored\r
0\r
\r
_end_of_message_
msg.gsub!(/^ {6}/, "")
req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
req.parse(StringIO.new(msg))
assert_raise(WEBrick::HTTPStatus::BadRequest){ req.body }

# chunked req.body_reader
req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
req.parse(StringIO.new(msg))
dst = StringIO.new
assert_raise(WEBrick::HTTPStatus::BadRequest) do
IO.copy_stream(req.body_reader, dst)
end
end

def test_null_byte_in_header
msg = <<-_end_of_message_
POST /path HTTP/1.1\r
Expand Down

0 comments on commit 45f2e84

Please # to comment.