net.http,veb: fix detection of the headers/body boundary in parse_request_head_str (fix #26091) (#26112)

Author: enghitalo

vlib/net/http/request.v

@@ -435,34 +435,41 @@ pub fn parse_request_head(mut reader io.BufferedReader) !Request {
 
 // parse_request_head parses *only* the header of a raw HTTP request into a Request object
 pub fn parse_request_head_str(s string) !Request {
-	// TODO called by veb twice!?
-	pos0 := s.index('\n') or { 0 }
-	lines := s.split('\n')
+	pos0 := s.index('\n') or { return error('malformed request: no request line found') }
 	line0 := s[..pos0].trim_space()
-
 	method, target, version := parse_request_line(line0)!
 
 	// headers
 	mut header := new_header()
-	for i := 1; i < lines.len; i++ {
-		mut line := lines[i].trim_right('\r')
+	// split by newline and skip the first line (request line)
+	lines := s[pos0 + 1..].split('\n')
+
+	for line_raw in lines {
+		line := line_raw.trim_right('\r')
+
+		// IMPORTANT: HTTP headers end at the first empty line.
+		// If we hit this, we are now at the body, so we stop parsing headers.
+		if line == '' {
+			break
+		}
+
 		if !line.contains(':') {
 			continue
 		}
-		// key, value := parse_header(line)!
+
 		mut pos := parse_header_fast(line)!
 		key := line.substr_unsafe(0, pos)
-		for pos < line.len - 1 && line[pos + 1].is_space() {
-			// Skip space or tab in value name
-			pos++
+
+		// Skip space or tab after the colon
+		mut val_start := pos + 1
+		for val_start < line.len && line[val_start].is_space() {
+			val_start++
 		}
-		if pos + 1 < line.len {
-			value := line.substr_unsafe(pos + 1, line.len)
-			_, _ = key, value
-			// println('key,value=${key},${value}')
+
+		if val_start < line.len {
+			value := line.substr_unsafe(val_start, line.len)
 			header.add_custom(key, value)!
 		}
-		// header.coerce(canonicalize: true)
 	}
 
 	mut request_cookies := map[string]string{}
@@ -480,6 +487,20 @@ pub fn parse_request_head_str(s string) !Request {
 	}
 }
 
+// parse_request_str parses a raw HTTP request string into a Request object.
+pub fn parse_request_str(s string) !Request {
+	mut request := parse_request_head_str(s)!
+
+	delim := '\r\n\r\n'
+	body_pos := s.index(delim) or { -1 }
+
+	if body_pos != -1 {
+		request.data = s[body_pos + delim.len..]
+	}
+
+	return request
+}
+
 fn parse_request_line(line string) !(Method, urllib.URL, Version) {
 	// println('S=${s}')
 	words := line.split(' ')

vlib/net/http/request_test.v

@@ -250,6 +250,32 @@ fn test_parse_request_head_str_post_with_headers() {
 	assert req.header.custom_values('Content-Type') == ['application/json']
 }
 
+fn test_parse_request_head_str_post_with_headers_and_body() {
+	s := 'POST /index HTTP/1.1\r\nHost: localhost:9008\r\nUser-Agent: curl/7.68.0\r\nAccept: */*\r\nContent-Type: application/json\r\nContent-Length: 24\r\nConnection: keep-alive\r\n\r\n{"username": "test"}'
+	req := http.parse_request_head_str(s) or {
+		assert false, 'did not parse: ${err}'
+		return
+	}
+	assert req.method == .post
+	assert req.url == '/index'
+	assert req.version == .v1_1
+	assert req.host == 'localhost:9008'
+	assert req.header.custom_values('User-Agent') == ['curl/7.68.0']
+	assert req.header.custom_values('Accept') == ['*/*']
+	assert req.header.custom_values('Content-Type') == ['application/json']
+	assert req.header.custom_values('Connection') == ['keep-alive']
+	assert req.data == ''
+}
+
+fn test_parse_request_head_post_with_headers_and_body() {
+	s := 'POST /index HTTP/1.1\r\nHost: localhost:9008\r\nUser-Agent: curl/7.68.0\r\nAccept: */*\r\nContent-Type: application/json\r\nContent-Length: 24\r\nConnection: keep-alive\r\n\r\n{"username": "test"}'
+	req := http.parse_request_str(s) or {
+		assert false, 'did not parse: ${err}'
+		return
+	}
+	assert req.data == '{"username": "test"}'
+}
+
 fn test_parse_request_head_str_with_spaces_in_header_values() {
 	s := 'GET /path HTTP/1.1\r\nX-Custom-Header: value with spaces\r\n\r\n'
 	req := http.parse_request_head_str(s) or { panic('did not parse: ${err}') }

vlib/veb/veb_d_new_veb.v

@@ -76,12 +76,12 @@ fn parallel_request_handler[A, X](req fasthttp.HttpRequest) ![]u8 {
 	client_fd := req.client_conn_fd
 
 	// Parse the raw request bytes into a standard `http.Request`.
-	req2 := http.parse_request_head_str(s.clone()) or {
+	req2 := http.parse_request_str(s.clone()) or {
 		eprintln('[veb] Failed to parse request: ${err}')
 		println('s=')
 		println(s)
 		println('==============')
-		return http_ok_response // tiny_bad_request_response
+		return 'HTTP/1.1 500 Internal Server Error\r\nContent-Length: 0\r\nConnection: close\r\n\r\n'.bytes()
 	}
 	// Create and populate the `veb.Context`.
 	completed_context := handle_request_and_route[A, X](mut global_app, req2, client_fd,