Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 7562:52b5ee64fe11
Detect runaway chunks in ngx_http_parse_chunked().
As defined in HTTP/1.1, body chunks have the following ABNF:
chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
where chunk-data is a sequence of chunk-size octets.
With this change, chunk-data that doesn't end up with CRLF at chunk-size
offset will be treated as invalid, such as in the example provided below:
4
SEE-THIS-AND-
4
THAT
0
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 03 Sep 2019 17:26:56 +0300 |
| parents | f9661f56c717 |
| children | 5a3426683251 |
comparison
equal
deleted
inserted
replaced
| 7561:9f1f9d6e056a | 7562:52b5ee64fe11 |
|---|---|
| 2266 case CR: | 2266 case CR: |
| 2267 state = sw_after_data_almost_done; | 2267 state = sw_after_data_almost_done; |
| 2268 break; | 2268 break; |
| 2269 case LF: | 2269 case LF: |
| 2270 state = sw_chunk_start; | 2270 state = sw_chunk_start; |
| 2271 break; | |
| 2272 default: | |
| 2273 goto invalid; | |
| 2271 } | 2274 } |
| 2272 break; | 2275 break; |
| 2273 | 2276 |
| 2274 case sw_after_data_almost_done: | 2277 case sw_after_data_almost_done: |
| 2275 if (ch == LF) { | 2278 if (ch == LF) { |