Server hangs when chunk-size does not match actual data size in chunked transfer encoding #10596
Description
Describe the bug
Aiohttp does not properly handle chunked transfer encoding when the chunk-size does not match the actual data size. Instead of rejecting the request with a 400 Bad Request, the server hangs indefinitely.
To Reproduce
- Run aiohttp.
- Send the following request:
POST / HTTP/1.1\r\n
Host: victim.com\r\n
Transfer-Encoding: chunked\r\n
\r\n
4(or 6)\r\n
Hello\r\n
0\r\n
\r\n
- aiohttp does not reject, but hangs unresponsive.
Expected behavior
The server should reject with 400 Bad Request.
RFC 9112 says this:
chunk-data= 1*OCTET ; a sequence ofchunk-sizeoctets.
This may imply that the length of chunk-data should be as indicated by chunk-size.
Take waitress as example:
$ echo -ne "POST / HTTP/1.1\r\nHost: victim.com\r\nTransfer-Encoding: chunked\r\n\r\n4\r\nHello\r\n0\r\n\r\n" | nc 172.18.0.6 80
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 71
Content-Type: text/plain; charset=utf-8
Date: Tue, 18 Mar 2025 14:50:37 GMT
Server: waitress
Bad Request
Chunk not properly terminated
(generated by waitress)
Logs/tracebacks
/Python Version
$ python --version
Python 3.10.12aiohttp Version
$ python -m pip show aiohttp
Judging by the response:
aiohttp/4.0.0a2.dev0
(Instead of downloading aiohttp via pip, I deployed aiohttp via docker)multidict Version
$ python -m pip show multidict
/propcache Version
$ python -m pip show propcache
/yarl Version
$ python -m pip show yarl
/OS
Ubuntu 11.4.0-1ubuntu1~22.04
Related component
Server
Additional context
No response
Code of Conduct
- I agree to follow the aio-libs Code of Conduct