BUG/MINOR: h1: Fail to parse empty transfer coding names
Empty transfer coding names, inside a comma-separated list, are already
rejected. But it is only by chance. Today, it is detected as an unknown
coding names (not "chunked" concretly). Then, it is handled by the H1
multiplexer as an error and a 422-Unprocessable-Content response is
returned.
So, the error is properly detected in this case, but it is not accurate. A
400-bad-request response must be returned instead. Then, it is better to
catch the error during the header parsing. It is the purpose of this patch.
This patch should be backported as far as 2.6.
(cherry picked from commit b8b01027603ae53fdebc7c63c4dacf0908eaef82)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 9df5f65f26070359c2ecd1fe72dc22b43a784fc4)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 7a6ab0da5d77f6f954580fd53d6504ccb6b30e7f)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/h1.c b/src/h1.c
index 5abb656..787b885 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -147,7 +147,12 @@
word.len--;
h1m->flags &= ~H1_MF_CHNK;
- if (isteqi(word, ist("chunked"))) {
+
+ /* empty values are forbidden */
+ if (!word.len)
+ goto fail;
+
+ else if (isteqi(word, ist("chunked"))) {
if (h1m->flags & H1_MF_TE_CHUNKED) {
/* cf RFC7230#3.3.1 : A sender MUST NOT apply
* chunked more than once to a message body