From 15a93914782789520837c334e0c302702aec34e2 Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Fri, 21 Jun 2024 16:49:13 -0700 Subject: [PATCH] Return 400 response for chunked requests with unexpected data after chunk Fixes #133 --- lib/webrick/httprequest.rb | 6 +++++- test/webrick/test_httprequest.rb | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb index f6d0b67..4e1de8c 100644 --- a/lib/webrick/httprequest.rb +++ b/lib/webrick/httprequest.rb @@ -574,7 +574,11 @@ def read_chunked(socket, block) block.call(data) end while (chunk_size -= sz) > 0 - read_line(socket) # skip CRLF + line = read_line(socket) # skip CRLF + unless line == "\r\n" + raise HTTPStatus::BadRequest, "extra data after chunk `#{line}'." + end + chunk_size, = read_chunk_size(socket) end read_header(socket) # trailer + CRLF diff --git a/test/webrick/test_httprequest.rb b/test/webrick/test_httprequest.rb index 122a7c1..ea7e5a9 100644 --- a/test/webrick/test_httprequest.rb +++ b/test/webrick/test_httprequest.rb @@ -423,6 +423,29 @@ def test_bad_chunked end end + def test_bad_chunked_extra_data + msg = <<~HTTP + POST /path HTTP/1.1\r + Transfer-Encoding: chunked\r + \r + 3\r + ABCthis-all-gets-ignored\r + 0\r + \r + HTTP + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_raise(WEBrick::HTTPStatus::BadRequest){ req.body } + + # chunked req.body_reader + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + dst = StringIO.new + assert_raise(WEBrick::HTTPStatus::BadRequest) do + IO.copy_stream(req.body_reader, dst) + end + end + def test_null_byte_in_header msg = <<~HTTP.gsub("\n", "\r\n") POST /path HTTP/1.1\r