On Mon, Apr 13, 2026 at 04:32:20PM +0200, Claudio Jeker wrote:
> Here is a diff that actually applies.
>
> The 2nd hunk is enforcing that Content-Length and Transfer-Encoding:
> chunked can not co-exist.
>
> --
> :wq Claudio
>
> Index: server_http.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> diff -u -p -r1.161 server_http.c
> --- server_http.c 2 Mar 2026 19:24:58 -0000 1.161
> +++ server_http.c 13 Apr 2026 14:18:54 -0000
> @@ -396,8 +396,13 @@ server_read_http(struct bufferevent *bev
> }
>
> if (strcasecmp("Transfer-Encoding", key) == 0 &&
> - strcasecmp("chunked", value) == 0)
> + strcasecmp("chunked", value) == 0) {
> desc->http_chunked = 1;
> + } else {
> + server_abort_http(clt, 400,
> + "malformed transfer-encoding");
> + goto abort;
> + }
>
> if (clt->clt_line != 1) {
> if ((hdr = kv_add(&desc->http_headers, key,
> @@ -479,6 +484,10 @@ server_read_http(struct bufferevent *bev
> case HTTP_METHOD_TRACE:
> default:
> server_abort_http(clt, 405, "method not allowed");
> + return;
> + }
> + if (clt->clt_toread > 0 && desc->http_chunked) {
> + server_abort_http(clt, 400, "malformed");
> return;
> }
> if (desc->http_chunked) {
Shouldn't that first part be (as in the original suggested patch):
if (strcasecmp("Transfer-Encoding", key) == 0) {
if (strcasecmp("chunked", value) == 0)
desc->http_chunked = 1;
else {
server_abort_http(clt, 400,
"malformed transfer-encoding");
goto abort;
}
}
Otherwise you're going to produce a bunch of incorrect 400 responses for other
headers.
--
Jim Lippard [email protected] http://www.discord.org/
GPG Key ID: 0x99FD5CD6
