Fix Content-Length ', '-separated string issues

After a security issue, we ensure we comply to RFC-7230 -- HTTP/1.1 Message Syntax and Routing - section 3.3.2 -- Content-Length - section 3.3.3 -- Message Body Length
libwww-perl · Jun 27, 2022 · e84475d · e84475d
1 parent 331d5c1
commit e84475d
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
@@ -288,6 +288,32 @@ READ_HEADER:
     }
     elsif ($ct_len) {
 
+        # After a security issue, we ensure we comply to
+        # RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+        # section 3.3.2 -- Content-Length
+        # section 3.3.3 -- Message Body Length
+
+        # split and clean up Content-Length ', ' separated string
+        my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str }
+            split ',', $ct_len;
+        # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+        my @nums = grep { /^[0-9]+$/} @vals;
+        unless (@vals == @nums) {
+            $self->send_error(400);
+            $self->reason("Content-Length value must be a unsigned integer");
+            return;
+        }
+        # check they are all the same
+        my $ct_len = shift @nums;
+        foreach (@nums) {
+            next if $_ == $ct_len;
+            $self->send_error(400);
+            $self->reason("Content-Length values are not the same");
+            return;
+        }
+        # ensure we have now a fixed header, with only 1 value
+        $r->header('Content-Length' => $ct_len);
+
         # Plain body specified by "Content-Length"
         my $missing = $ct_len - length($buf);
         while ($missing > 0) {