diff options
| author | Eric Wong <e@yhbt.net> | 2020-03-17 06:52:17 +0000 |
|---|---|---|
| committer | Eric Wong <e@yhbt.net> | 2020-03-19 06:45:32 +0000 |
| commit | fa19cdc57074e6efeec2379f2b4e8d14f71773e4 (patch) | |
| tree | c9f237e8fc5e2146c4403e5bb45ee26063f033d2 /t | |
| parent | a93dcadf3ead60189ed9cfcac536c8de8b08a961 (diff) | |
| download | public-inbox-fa19cdc57074e6efeec2379f2b4e8d14f71773e4.tar.gz | |
We need to favor "Transfer-Encoding: chunked" over the value of the Content-Length header. We should also reject bogus, duplicate and/or unreasonable values for both these, since they can trigger unexpected behavior when combined with other HTTP parsers in proxies such as varnish, nginx, haproxy, etc... See RFC 7230 (and RFC 2616) for more details: https://tools.ietf.org/html/rfc7230 https://www.rfc-editor.org/errata_search.php?rfc=7230
Diffstat (limited to 't')
| -rw-r--r-- | t/httpd-corner.t | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/t/httpd-corner.t b/t/httpd-corner.t index cb813897..c99e5ec7 100644 --- a/t/httpd-corner.t +++ b/t/httpd-corner.t @@ -155,6 +155,38 @@ SKIP: { } { + my $conn = conn_for($sock, '1.1 Transfer-Encoding bogus'); + $conn->write("PUT /sha1 HTTP/1.1\r\nTransfer-Encoding: bogus\r\n\r\n"); + $conn->read(my $buf, 4096); + like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on bogus TE'); +} +{ + my $conn = conn_for($sock, '1.1 Content-Length bogus'); + $conn->write("PUT /sha1 HTTP/1.1\r\nContent-Length: 3.3\r\n\r\n"); + $conn->read(my $buf, 4096); + like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on bad length'); +} + +{ + my $req = "PUT /sha1 HTTP/1.1\r\nContent-Length: 3\r\n" . + "Content-Length: 3\r\n\r\n"; + # this is stricter than it needs to be. Due to the way + # Plack::HTTPParser, PSGI specs, and how hash tables work in common + # languages; it's not possible to tell the difference between folded + # and intentionally bad commas (e.g. "Content-Length: 3, 3") + if (0) { + require Plack::HTTPParser; # XS or pure Perl + require Data::Dumper; + Plack::HTTPParser::parse_http_request($req, my $env = {}); + diag Data::Dumper::Dumper($env); # "Content-Length: 3, 3" + } + my $conn = conn_for($sock, '1.1 Content-Length dupe'); + $conn->write($req); + $conn->read(my $buf, 4096); + like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on dupe length'); +} + +{ my $conn = conn_for($sock, 'chunk with pipeline'); my $n = 10; my $payload = 'b'x$n; |