From 4025ed5fc405422fcd6d85bd5b5db965c5c31883 Mon Sep 17 00:00:00 2001
From: tabudz <tanb74653@gmail.com>
Date: Tue, 25 Feb 2025 15:20:34 +0800
Subject: [PATCH 1/2] http: unset F_CHUNKED on new Transfer-Encoding
Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.
CVE-ID: CVE-2020-8287
PR-URL: nodejs-private/node-private#235
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
http/http_parser.c | 7 +++++++
1 file changed, 7 insertions(+)
@@ -1335,6 +1335,13 @@ size_t http_parser_execute (http_parser *parser,
parser->header_state = h_general;
} else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
parser->header_state = h_transfer_encoding;
+ /* Multiple `Transfer-Encoding` headers should be treated as
+ * one, but with values separate by a comma.
+ *
+ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
+ */
+ parser->flags &= ~F_CHUNKED;
+ }
}
break;
From a754a9046dc969adbb93880aa32ed46d615e4c4a Mon Sep 17 00:00:00 2001
From: tabudz <64760144+tabudz@users.noreply.github.com>
Date: Tue, 25 Feb 2025 20:18:28 +0800
Subject: [PATCH 2/2] Update http_parser.c
http/http_parser.c | 1 -
1 file changed, 1 deletion(-)
@@ -1342,7 +1342,6 @@ size_t http_parser_execute (http_parser *parser,
*/
parser->flags &= ~F_CHUNKED;
}
- }
break;
/* upgrade */