diff options
author | Erik Dubbelboer <erik@dubbelboer.com> | 2024-02-11 15:08:56 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-11 08:08:56 +0100 |
commit | bce576699a322ab33b618773a4456a25e602682d (patch) | |
tree | bda1bedb288781bb14b5955044b3cde4a8981e4e /header.go | |
parent | Follow RFCs 7230 and 9112 for HTTP versions (#1710) (diff) | |
download | fasthttp-bce576699a322ab33b618773a4456a25e602682d.tar.gz fasthttp-bce576699a322ab33b618773a4456a25e602682d.tar.bz2 fasthttp-bce576699a322ab33b618773a4456a25e602682d.zip |
* Prevent request smuggling
Prevent request smuggling when fasthttp is behind a reverse proxy that
might interprets headers differently by being stricter. Should also
prevent request smuggling when fasthttp is used as the reverse proxy.
* Make header value comparison case-insensitive
Diffstat (limited to 'header.go')
-rw-r--r-- | header.go | 19 |
1 files changed, 18 insertions, 1 deletions
@@ -3029,6 +3029,8 @@ func (h *ResponseHeader) parseHeaders(buf []byte) (int, error) { func (h *RequestHeader) parseHeaders(buf []byte) (int, error) { h.contentLength = -2 + contentLengthSeen := false + var s headerScanner s.b = buf s.disableNormalizing = h.disableNormalizing @@ -3064,6 +3066,11 @@ func (h *RequestHeader) parseHeaders(buf []byte) (int, error) { continue } if caseInsensitiveCompare(s.key, strContentLength) { + if contentLengthSeen { + return 0, fmt.Errorf("duplicate Content-Length header") + } + contentLengthSeen = true + if h.contentLength != -1 { var nerr error if h.contentLength, nerr = parseContentLength(s.value); nerr != nil { @@ -3088,7 +3095,17 @@ func (h *RequestHeader) parseHeaders(buf []byte) (int, error) { } case 't': if caseInsensitiveCompare(s.key, strTransferEncoding) { - if !bytes.Equal(s.value, strIdentity) { + isIdentity := caseInsensitiveCompare(s.value, strIdentity) + isChunked := caseInsensitiveCompare(s.value, strChunked) + + if !isIdentity && !isChunked { + if h.secureErrorLogMessage { + return 0, fmt.Errorf("unsupported Transfer-Encoding") + } + return 0, fmt.Errorf("unsupported Transfer-Encoding: %q", s.value) + } + + if isChunked { h.contentLength = -1 h.h = setArgBytes(h.h, strTransferEncoding, strChunked, argsHasValue) } |