Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core: disallow parsing of Transfer-Encoding other than chunked #3754

Merged
merged 7 commits into from
Feb 15, 2021
Merged

core: disallow parsing of Transfer-Encoding other than chunked #3754

merged 7 commits into from
Feb 15, 2021

Conversation

johanandren
Copy link
Member

No description provided.

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins needs-attention Indicates a PR validation failure (set by CI infrastructure) and removed validating PR that is currently being validated by Jenkins labels Feb 8, 2021
@akka-ci
Copy link

akka-ci commented Feb 8, 2021

Test FAILed.

Pull request validation report

Failed Test Suites

Test result for akka-http-core / Pr-validation / ./ executeTests

[info] ScalaTest
[info] Run completed in 3 minutes, 55 seconds.
[info] Total number of tests run: 1074
[info] Suites: completed 78, aborted 0  Scopes: pending 1
[info] Tests: succeeded 1072, failed 2, canceled 0, ignored 2, pending 54
[info] *** 2 TESTS FAILED ***
[error] Failed: Total 1074, Failed 2, Errors 0, Passed 1072, Ignored 2, Pending 54
[error] Failed tests:
[error] 	akka.http.impl.engine.parsing.ResponseParserLFSpec
[error] 	akka.http.impl.engine.parsing.ResponseParserCRLFSpec

@johanandren
Copy link
Member Author

Missing test coverage for responses.

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed needs-attention Indicates a PR validation failure (set by CI infrastructure) validating PR that is currently being validated by Jenkins labels Feb 8, 2021
@akka-ci
Copy link

akka-ci commented Feb 8, 2021

Test PASSed.

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins and removed tested PR that was successfully built and tested by Jenkins labels Feb 8, 2021
@akka-ci akka-ci added tested PR that was successfully built and tested by Jenkins and removed validating PR that is currently being validated by Jenkins labels Feb 8, 2021
@akka-ci
Copy link

akka-ci commented Feb 8, 2021

Test PASSed.

jrudolph
jrudolph reviewed Feb 8, 2021
View reviewed changes
Copy link
Member

@jrudolph jrudolph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can be even more strict than that. Basically, akka-http is implementing the "Transfer", so whatever we cannot decode, cannot be decoded.

The part that ends up in the entity should be the "Content", i.e. the representation that is described by the Content-... headers.

Especially in a proxy case, preserving any additional Transfer-Encodings seems dangerous, as we might be missing something to allow a fully functional round-trip in that case, or the user misses something trying to inspect a half-decoded entity.

So, I would suggest, for now we only allow a single chunked encoding here and fail everything else.

Btw. the current HTTP spec is RFC 7230.

The question is whether we need an escape hatch? I'm somewhat inclined to be lazy about it and wait until someone complains and explains why we should support their custom use-case (or contributes that feature). WDYT?

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed tested PR that was successfully built and tested by Jenkins validating PR that is currently being validated by Jenkins labels Feb 8, 2021
@akka-ci
Copy link

akka-ci commented Feb 8, 2021

Test PASSed.

@johanandren
* Boolean flag for isChunked instead of list of headers
ebde79e 
 * test coverage for Transfer-Encoding + Content-Length
 * Inconsistent period removed
 * better error for multiple transfer encodings
@akka-ci akka-ci added validating PR that is currently being validated by Jenkins and removed tested PR that was successfully built and tested by Jenkins labels Feb 8, 2021
@akka-ci akka-ci added needs-attention Indicates a PR validation failure (set by CI infrastructure) and removed validating PR that is currently being validated by Jenkins labels Feb 8, 2021
@akka-ci
Copy link

akka-ci commented Feb 8, 2021

Test FAILed.

Pull request validation report

Mima Failures 
Problems for `akka-http-core`:
akka-http-core: found 9 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.13:10.2.1  (filtered 40)
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in class akka.http.impl.engine.parsing.HttpResponseParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpResponseParser.addTransferEncodingWithChunkedPeeled")
 * synthetic method parseHeaderLines$default$8()scala.Option in class akka.http.impl.engine.parsing.HttpResponseParser has a different result type in current version, where it is Boolean rather than scala.Option
   filter with: ProblemFilters.exclude[IncompatibleResultTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines$default$8")
 * method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseEntity")
 * abstract method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser's type is different in current version, where it is (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseEntity")
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseHeaderLines")
 * synthetic method parseHeaderLines$default$8()scala.Option in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseHeaderLines$default$8")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.addTransferEncodingWithChunkedPeeled")
 * abstract method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseEntity")

akka-http-core: found 9 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.13:10.2.2  (filtered 36)
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in class akka.http.impl.engine.parsing.HttpResponseParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpResponseParser.addTransferEncodingWithChunkedPeeled")
 * synthetic method parseHeaderLines$default$8()scala.Option in class akka.http.impl.engine.parsing.HttpResponseParser has a different result type in current version, where it is Boolean rather than scala.Option
   filter with: ProblemFilters.exclude[IncompatibleResultTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines$default$8")
 * method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseEntity")
 * abstract method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser's type is different in current version, where it is (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseEntity")
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseHeaderLines")
 * synthetic method parseHeaderLines$default$8()scala.Option in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseHeaderLines$default$8")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.addTransferEncodingWithChunkedPeeled")
 * abstract method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseEntity")

akka-http-core: found 9 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.13:10.2.3  (filtered 11)
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in class akka.http.impl.engine.parsing.HttpResponseParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpResponseParser.addTransferEncodingWithChunkedPeeled")
 * synthetic method parseHeaderLines$default$8()scala.Option in class akka.http.impl.engine.parsing.HttpResponseParser has a different result type in current version, where it is Boolean rather than scala.Option
   filter with: ProblemFilters.exclude[IncompatibleResultTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines$default$8")
 * method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseEntity")
 * abstract method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser's type is different in current version, where it is (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseEntity")
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseHeaderLines")
 * synthetic method parseHeaderLines$default$8()scala.Option in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseHeaderLines$default$8")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in interface akka.http.impl.engine.parsing.HttpMessageParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.addTransferEncodingWithChunkedPeeled")
 * abstract method parseEntity(scala.collection.immutable.List,akka.http.scaladsl.model.HttpProtocol,akka.util.ByteString,Int,scala.Option,scala.Option,Boolean,Boolean,Boolean,Boolean,javax.net.ssl.SSLSession)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in interface akka.http.impl.engine.parsing.HttpMessageParser is present only in current version
   filter with: ProblemFilters.exclude[ReversedMissingMethodProblem]("akka.http.impl.engine.parsing.HttpMessageParser.parseEntity")

akka-http-core: found 3 potential binary incompatibilities while checking against com.typesafe.akka:akka-http-core_2.13:10.2.0  (filtered 60)
 * method parseHeaderLines(akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult in class akka.http.impl.engine.parsing.HttpResponseParser's type is different in current version, where it is (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,Boolean,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult instead of (akka.util.ByteString,Int,scala.collection.mutable.ListBuffer,Int,scala.Option,scala.Option,scala.Option,scala.Option,Boolean,Boolean)akka.http.impl.engine.parsing.HttpMessageParser#StateResult
   filter with: ProblemFilters.exclude[IncompatibleMethTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines")
 * method addTransferEncodingWithChunkedPeeled(scala.collection.immutable.List,akka.http.scaladsl.model.headers.Transfer-Encoding)scala.collection.immutable.List in class akka.http.impl.engine.parsing.HttpResponseParser does not have a correspondent in current version
   filter with: ProblemFilters.exclude[DirectMissingMethodProblem]("akka.http.impl.engine.parsing.HttpResponseParser.addTransferEncodingWithChunkedPeeled")
 * synthetic method parseHeaderLines$default$8()scala.Option in class akka.http.impl.engine.parsing.HttpResponseParser has a different result type in current version, where it is Boolean rather than scala.Option
   filter with: ProblemFilters.exclude[IncompatibleResultTypeProblem]("akka.http.impl.engine.parsing.HttpResponseParser.parseHeaderLines$default$8")

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed needs-attention Indicates a PR validation failure (set by CI infrastructure) validating PR that is currently being validated by Jenkins labels Feb 8, 2021
@akka-ci
Copy link

akka-ci commented Feb 8, 2021

Test PASSed.

jrudolph
jrudolph approved these changes Feb 15, 2021
View reviewed changes
Copy link
Member

@jrudolph jrudolph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, only some cosmetics below

...in/mima-filters/10.2.3.backwards.excludes/stricter-transfer-encoding-header-parsing.excludes Outdated Show resolved Hide resolved
akka-http-core/src/main/scala/akka/http/impl/engine/parsing/HttpMessageParser.scala Outdated Show resolved Hide resolved
akka-http-core/src/main/scala/akka/http/impl/engine/parsing/HttpResponseParser.scala Show resolved Hide resolved
akka-http-core/src/test/scala/akka/http/impl/engine/parsing/RequestParserSpec.scala Show resolved Hide resolved
@akka-ci akka-ci added validating PR that is currently being validated by Jenkins and removed tested PR that was successfully built and tested by Jenkins labels Feb 15, 2021
@jrudolph jrudolph mentioned this pull request Feb 15, 2021
Open
@akka-ci akka-ci added tested PR that was successfully built and tested by Jenkins and removed validating PR that is currently being validated by Jenkins labels Feb 15, 2021
@akka-ci
Copy link

akka-ci commented Feb 15, 2021

Test PASSed.

@jrudolph jrudolph changed the title Disallow chunked as non-last Transfer-Encoding core: disallow parsing of Transfer-Encoding other than chunked Feb 15, 2021
@jrudolph jrudolph merged commit e3a4935 into akka:master Feb 15, 2021
@jrudolph
Copy link
Member

Thanks for fixing, @johanandren.

@johanandren johanandren deleted the wip-multi-transfer-encoding-and-content-length branch February 15, 2021 14:43
johanandren added a commit to johanandren/akka-http that referenced this pull request Feb 22, 2021
@johanandren
core: disallow parsing of Transfer-Encoding other than chunked (akka#…
51b903b 
…3754)

Backport from 10.2
@johanandren johanandren mentioned this pull request Feb 22, 2021
Merged
@thjaeckle
Copy link

Will this be released soon?
There is a ongoing medium CVE without a released Akka HTTP version fixing this (the Recommendation is wrong as this fix is not available in version 10.2.3): https://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043

@mhenke1
Copy link

mhenke1 commented Feb 22, 2021
edited
Loading

Is there any chance to get this change into 10.1.x too? We also need to close CVE-2021-23339.

@ignasi35
Copy link
Member

Is there any chance to get this change into 10.1.x too? We also need to close CVE-2021-23339.

See #3765 for the backport.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrudolph jrudolph jrudolph approved these changes

@ignasi35 ignasi35 ignasi35 approved these changes

Assignees
No one assigned
Labels
tested PR that was successfully built and tested by Jenkins
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@johanandren @akka-ci @jrudolph @thjaeckle @mhenke1 @ignasi35