Browse Source

[core] RFC-strict parse of Content-Length

augment simple strtoll() which allowed number to begin with '+'

This is not exploitable for HTTP Request Smuggling since lighttpd
mod_proxy sends "Connection: close" to backends, and other CGI-based
backends reconstitute CONTENT_LENGTH in the environment without '+'.

(thx Amit Klein, Safebreach)
personal/stbuehler/ci-build
Glenn Strauss 2 years ago
parent
commit
6876c16be0
  1. 2
      src/request.c

2
src/request.c

@ -430,7 +430,7 @@ static int http_request_parse_single_header(request_st * const restrict r, const
/*(trailing whitespace was removed from vlen)*/
char *err;
off_t clen = strtoll(v, &err, 10);
if (clen >= 0 && err == v+vlen) {
if (clen >= 0 && err == v+vlen && light_isdigit(v[0])) {
/* (set only if not set to -1 by Transfer-Encoding: chunked) */
if (0 == r->reqbody_length) r->reqbody_length = clen;
}

Loading…
Cancel
Save