[mod_webdav] reject non-identity Content-Encoding

mod_webdav currently does not handle client Content-Encoding of request bodies (besides the default: "identity") x-ref: Hypertext Transfer Protocol (HTTP) Client-Initiated Content-Encoding https://www.rfc-editor.org/rfc/rfc7694.html https://www.rfc-editor.org/rfc/rfc9110#field.content-encoding
2023-09-19 01:32:09 -04:00 · 2023-09-19 01:32:09 -04:00 · 9ea82d4184
parent 2328eccbad
commit 9ea82d4184
1 changed files with 25 additions and 9 deletions
--- a/src/mod_webdav.c
+++ b/src/mod_webdav.c
@ -6058,15 +6058,31 @@ PHYSICALPATH_FUNC(mod_webdav_physical_handler)
        return HANDLER_FINISHED;
    }

-    if (reject_reqbody && r->reqbody_length) {
-        /* [RFC4918] 8.4 Required Bodies in Requests
-         *   Servers MUST examine all requests for a body, even when a
-         *   body was not expected. In cases where a request body is
-         *   present but would be ignored by a server, the server MUST
-         *   reject the request with 415 (Unsupported Media Type).
-         */
-        http_status_set_error(r, 415); /* Unsupported Media Type */
-        return HANDLER_FINISHED;
+    if (r->reqbody_length) {
+        if (reject_reqbody) {
+            /* [RFC4918] 8.4 Required Bodies in Requests
+             *   Servers MUST examine all requests for a body, even when a
+             *   body was not expected. In cases where a request body is
+             *   present but would be ignored by a server, the server MUST
+             *   reject the request with 415 (Unsupported Media Type).
+             */
+            http_status_set_error(r, 415); /* Unsupported Media Type */
+            return HANDLER_FINISHED;
+        }
+        /* [RFC7694]
+         * Hypertext Transfer Protocol (HTTP) Client-Initiated Content-Encoding
+         * (future: might add support for gzip or other content-encodings used
+         *          by client on request body) */
+        const buffer * const vb =
+          http_header_request_get(r, HTTP_HEADER_CONTENT_ENCODING,
+                                  CONST_STR_LEN("Content-Encoding"));
+        if (vb != NULL) { /*("identity" not expected; should not be listed)*/
+            http_header_response_set(r, HTTP_HEADER_ACCEPT_ENCODING,
+                                     CONST_STR_LEN("Accept-Encoding"),
+                                     CONST_STR_LEN("identity"));
+            http_status_set_error(r, 415); /* Unsupported Media Type */
+            return HANDLER_FINISHED;
+        }
    }

    if (check_lock_src && !webdav_has_lock(r, &pconf, &r->physical.rel_path))