Permalink
Browse files

Check the Content-Length before reading the request's content

Some browsers, like Firefox, do not support files that are larger than 2GB.
Uploading a >2GB file causes an integer overflow and the Content-Length
header is set to a negative value.

To prevent any crash in this case, we check the Content-Length value before
reading the request's content. When the value is negative, an error 400 is
returned.

A bug about this problem is openned for Firefox:
    - https://bugzilla.mozilla.org/show_bug.cgi?id=215450
  • Loading branch information...
capflam committed Apr 26, 2012
1 parent c74a92e commit 02e9baf30bad679ffa6b649add06d97999a223bf
Showing with 14 additions and 4 deletions.
  1. +14 −4 src/yaws_server.erl
View
@@ -1513,7 +1513,7 @@ body_method(CliSock, IPPort, Req, Head) ->
SC=get(sc),
ok = yaws:setopts(CliSock, [{packet, raw}, binary], yaws:is_ssl(SC)),
PPS = SC#sconf.partial_post_size,
- Bin = case Head#headers.content_length of
+ Res = case Head#headers.content_length of
undefined ->
case Head#headers.transfer_encoding of
"chunked" ->
@@ -1524,6 +1524,8 @@ body_method(CliSock, IPPort, Req, Head) ->
Len when is_integer(PPS) ->
Int_len = list_to_integer(Len),
if
+ Int_len < 0 ->
+ {error, content_length_overflow};
Int_len == 0 ->
<<>>;
PPS < Int_len ->
@@ -1536,16 +1538,24 @@ body_method(CliSock, IPPort, Req, Head) ->
Len when PPS == nolimit ->
Int_len = list_to_integer(Len),
if
+ Int_len < 0 ->
+ {error, content_length_overflow};
Int_len == 0 ->
<<>>;
true ->
get_client_data(CliSock, Int_len,
yaws:is_ssl(SC))
end
end,
- ?Debug("Request data = ~s~n", [binary_to_list(un_partial(Bin))]),
- ARG = make_arg(CliSock, IPPort, Head, Req, Bin),
- handle_request(CliSock, ARG, size(un_partial(Bin))).
+ case Res of
+ {error, Reason} ->
+ error_logger:format("Invalid Request: ~p~n", [Reason]),
+ deliver_400(CliSock, Req);
+ Bin ->
+ ?Debug("Request data = ~s~n", [binary_to_list(un_partial(Bin))]),
+ ARG = make_arg(CliSock, IPPort, Head, Req, Bin),
+ handle_request(CliSock, ARG, size(un_partial(Bin)))
+ end.
'MKCOL'(CliSock, IPPort, Req, Head) ->

0 comments on commit 02e9baf

Please sign in to comment.