berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

broken fix for http1.0 post requests

This commit is contained in:
Rob Ede 2022-06-27 04:32:18 +01:00
parent 1c410ad8c7
commit 29c800500a
No known key found for this signature in database
GPG Key ID: 97C636207D3EF933
1 changed files with 73 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
actix-http/src/h1/decoder.rs
View File

@ -46,6 +46,23 @@ pub(crate) enum PayloadLength {
None, None,
} }
impl PayloadLength {
/// Returns true if variant is `None`.
fn is_none(&self) -> bool {
matches!(self, Self::None)
}
/// Returns true if variant is represents zero-length (not none) payload.
fn is_zero(&self) -> bool {
matches!(
self,
PayloadLength::Payload(PayloadType::Payload(PayloadDecoder {
kind: Kind::Length(0)
}))
)
}
}
pub(crate) trait MessageType: Sized { pub(crate) trait MessageType: Sized {
fn set_connection_type(&mut self, conn_type: Option<ConnectionType>); fn set_connection_type(&mut self, conn_type: Option<ConnectionType>);
@ -96,8 +113,8 @@ pub(crate) trait MessageType: Sized {
Ok(val) => { Ok(val) => {
if let Ok(len) = val.parse::<u64>() { if let Ok(len) = val.parse::<u64>() {
// accept 0 lengths here and remove them later in this method after // accept 0 lengths here and remove them in `decode` after all
// all headers have been processed // headers have been processed to prevent request smuggling issues
content_length = Some(len); content_length = Some(len);
} else { } else {
debug!("illegal Content-Length: {:?}", val); debug!("illegal Content-Length: {:?}", val);
@ -179,19 +196,6 @@ pub(crate) trait MessageType: Sized {
self.set_expect() self.set_expect()
} }
// Remove CL value if 0 now that all headers are processed. Protects against some request
// smuggling attacks. See https://github.com/actix/actix-web/issues/2767.
if matches!(content_length, Some(0)) {
content_length = None;
}
// disallow HTTP/1.0 request that do not contain a Content-Length headers
// see https://datatracker.ietf.org/doc/html/rfc1945#section-7.2.2
if version == Version::HTTP_10 && content_length.is_none() {
debug!("no Content-Length specified for HTTP/1.0 request");
return Err(ParseError::Header);
}
// https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 // https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
if chunked { if chunked {
// Chunked encoding // Chunked encoding
@ -271,7 +275,22 @@ impl MessageType for Request {
let mut msg = Request::new(); let mut msg = Request::new();
// convert headers // convert headers
let length = msg.set_headers(&src.split_to(len).freeze(), &headers[..h_len], ver)?; let mut length =
msg.set_headers(&src.split_to(len).freeze(), &headers[..h_len], ver)?;
// disallow HTTP/1.0 POST requests that do not contain a Content-Length headers
// see https://datatracker.ietf.org/doc/html/rfc1945#section-7.2.2
if ver == Version::HTTP_10 && method == Method::POST && length.is_none() {
debug!("no Content-Length specified for HTTP/1.0 POST request");
return Err(ParseError::Header);
}
// Remove CL value if 0 now that all headers and HTTP/1.0 special cases are processed.
// Protects against some request smuggling attacks.
// See https://github.com/actix/actix-web/issues/2767.
if length.is_zero() {
length = PayloadLength::None;
}
// payload decoder // payload decoder
let decoder = match length { let decoder = match length {
@ -359,7 +378,15 @@ impl MessageType for ResponseHead {
msg.version = ver; msg.version = ver;
// convert headers // convert headers
let length = msg.set_headers(&src.split_to(len).freeze(), &headers[..h_len], ver)?; let mut length =
msg.set_headers(&src.split_to(len).freeze(), &headers[..h_len], ver)?;
// Remove CL value if 0 now that all headers and HTTP/1.0 special cases are processed.
// Protects against some request smuggling attacks.
// See https://github.com/actix/actix-web/issues/2767.
if length.is_zero() {
length = PayloadLength::None;
}
// message payload // message payload
let decoder = if let PayloadLength::Payload(pl) = length { let decoder = if let PayloadLength::Payload(pl) = length {
@ -628,14 +655,40 @@ mod tests {
} }
#[test] #[test]
fn test_parse_post() { fn parse_h10_post() {
let mut buf = BytesMut::from("POST /test2 HTTP/1.0\r\n\r\n"); let mut buf = BytesMut::from(
"POST /test1 HTTP/1.0\r\n\
Content-Length: 3\r\n\
\r\n\
abc",
);
let mut reader = MessageDecoder::<Request>::default();
let (req, _) = reader.decode(&mut buf).unwrap().unwrap();
assert_eq!(req.version(), Version::HTTP_10);
assert_eq!(*req.method(), Method::POST);
assert_eq!(req.path(), "/test1");
let mut buf = BytesMut::from(
"POST /test2 HTTP/1.0\r\n\
Content-Length: 0\r\n\
\r\n",
);
let mut reader = MessageDecoder::<Request>::default(); let mut reader = MessageDecoder::<Request>::default();
let (req, _) = reader.decode(&mut buf).unwrap().unwrap(); let (req, _) = reader.decode(&mut buf).unwrap().unwrap();
assert_eq!(req.version(), Version::HTTP_10); assert_eq!(req.version(), Version::HTTP_10);
assert_eq!(*req.method(), Method::POST); assert_eq!(*req.method(), Method::POST);
assert_eq!(req.path(), "/test2"); assert_eq!(req.path(), "/test2");
let mut buf = BytesMut::from(
"POST /test3 HTTP/1.0\r\n\
\r\n",
);
let mut reader = MessageDecoder::<Request>::default();
let err = reader.decode(&mut buf).unwrap_err();
assert!(err.to_string().contains("Header"))
} }
#[test] #[test]
@ -1034,7 +1087,7 @@ mod tests {
// in HTTP/1.0 transfer encoding is ignored and must therefore contain a CL header // in HTTP/1.0 transfer encoding is ignored and must therefore contain a CL header
let mut buf = BytesMut::from( let mut buf = BytesMut::from(
"GET / HTTP/1.0\r\n\ "POST / HTTP/1.0\r\n\
Host: example.com\r\n\ Host: example.com\r\n\
Transfer-Encoding: chunked\r\n\ Transfer-Encoding: chunked\r\n\
\r\n\ \r\n\