Skip to content

Commit 7b74fc9

Browse files
JeppWJeppW
authored
fix: lenient chunk extension parsing leading to request smuggling issues (#1899)
* fix request smuggling issue * correct broken error messages * fix lint
1 parent ed2d390 commit 7b74fc9

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

http.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2505,17 +2505,24 @@ func parseChunkSize(r *bufio.Reader) (int, error) {
25052505
c, err := r.ReadByte()
25062506
if err != nil {
25072507
return -1, ErrBrokenChunk{
2508-
error: fmt.Errorf("cannot read '\r' char at the end of chunk size: %w", err),
2508+
error: fmt.Errorf("cannot read '\\r' char at the end of chunk size: %w", err),
25092509
}
25102510
}
25112511
// Skip chunk extension after chunk size.
25122512
// Add support later if anyone needs it.
25132513
if c != '\r' {
2514+
// Security: Don't allow newlines in chunk extensions.
2515+
// This can lead to request smuggling issues with some reverse proxies.
2516+
if c == '\n' {
2517+
return -1, ErrBrokenChunk{
2518+
error: errors.New("invalid character '\\n' after chunk size"),
2519+
}
2520+
}
25142521
continue
25152522
}
25162523
if err := r.UnreadByte(); err != nil {
25172524
return -1, ErrBrokenChunk{
2518-
error: fmt.Errorf("cannot unread '\r' char at the end of chunk size: %w", err),
2525+
error: fmt.Errorf("cannot unread '\\r' char at the end of chunk size: %w", err),
25192526
}
25202527
}
25212528
break

0 commit comments

Comments
 (0)