fix: lenient chunk extension parsing leading to request smuggling issues (#1899)

JeppW · web-flow · commit 7b74fc98457c · 2024-11-24T20:10:50.000+08:00
* fix request smuggling issue

* correct broken error messages

* fix lint
diff --git a/http.go b/http.go
@@ -2505,17 +2505,24 @@ func parseChunkSize(r *bufio.Reader) (int, error) {
 		c, err := r.ReadByte()
 		if err != nil {
 			return -1, ErrBrokenChunk{
-				error: fmt.Errorf("cannot read '\r' char at the end of chunk size: %w", err),
+				error: fmt.Errorf("cannot read '\\r' char at the end of chunk size: %w", err),
 			}
 		}
 		// Skip chunk extension after chunk size.
 		// Add support later if anyone needs it.
 		if c != '\r' {
+			// Security: Don't allow newlines in chunk extensions.
+			// This can lead to request smuggling issues with some reverse proxies.
+			if c == '\n' {
+				return -1, ErrBrokenChunk{
+					error: errors.New("invalid character '\\n' after chunk size"),
+				}
+			}
 			continue
 		}
 		if err := r.UnreadByte(); err != nil {
 			return -1, ErrBrokenChunk{
-				error: fmt.Errorf("cannot unread '\r' char at the end of chunk size: %w", err),
+				error: fmt.Errorf("cannot unread '\\r' char at the end of chunk size: %w", err),
 			}
 		}
 		break

Original file line number	Diff line number	Diff line change
`@@ -2505,17 +2505,24 @@ func parseChunkSize(r *bufio.Reader) (int, error) {`
`2505`	`2505`	`c, err := r.ReadByte()`
`2506`	`2506`	`if err != nil {`
`2507`	`2507`	`return -1, ErrBrokenChunk{`
`2508`		`- error: fmt.Errorf("cannot read '\r' char at the end of chunk size: %w", err),`
	`2508`	`+ error: fmt.Errorf("cannot read '\\r' char at the end of chunk size: %w", err),`
`2509`	`2509`	`}`
`2510`	`2510`	`}`
`2511`	`2511`	`// Skip chunk extension after chunk size.`
`2512`	`2512`	`// Add support later if anyone needs it.`
`2513`	`2513`	`if c != '\r' {`
	`2514`	`+ // Security: Don't allow newlines in chunk extensions.`
	`2515`	`+ // This can lead to request smuggling issues with some reverse proxies.`
	`2516`	`+ if c == '\n' {`
	`2517`	`+ return -1, ErrBrokenChunk{`
	`2518`	`+ error: errors.New("invalid character '\\n' after chunk size"),`
	`2519`	`+ }`
	`2520`	`+ }`
`2514`	`2521`	`continue`
`2515`	`2522`	`}`
`2516`	`2523`	`if err := r.UnreadByte(); err != nil {`
`2517`	`2524`	`return -1, ErrBrokenChunk{`
`2518`		`- error: fmt.Errorf("cannot unread '\r' char at the end of chunk size: %w", err),`
	`2525`	`+ error: fmt.Errorf("cannot unread '\\r' char at the end of chunk size: %w", err),`
`2519`	`2526`	`}`
`2520`	`2527`	`}`
`2521`	`2528`	`break`