HTTP parser: stricter chunk-ext OBS handling

pajod · pajod · commit e710393d142e · 2023-12-17T17:46:56.000+01:00
chunk extensions are silently ignored before and after this change;
its just the whitespace handling for the case without extensions that matters
applying same strip(WS)-&gt;rstrip(BWS) replacement as already done in related cases

half-way fix: could probably reject all BWS cases, rejecting only misplaced ones
diff --git a/gunicorn/http/body.py b/gunicorn/http/body.py
@@ -85,7 +85,10 @@ def parse_chunk_size(self, unreader, data=None):
         data = buf.getvalue()
         line, rest_chunk = data[:idx], data[idx + 2:]
 
-        chunk_size = line.split(b";", 1)[0].strip()
+        # RFC9112 7.1.1: BWS before chunk-ext - but ONLY then
+        chunk_size, *chunk_ext = line.split(b";", 1)
+        if chunk_ext:
+            chunk_size = chunk_size.rstrip(b" \t")
         if any(n not in b"0123456789abcdefABCDEF" for n in chunk_size):
             raise InvalidChunkSize(chunk_size)
         chunk_size = int(chunk_size, 16)
diff --git a/tests/requests/invalid/chunked_09.http b/tests/requests/invalid/chunked_09.http
@@ -0,0 +1,7 @@
+POST /chunked_ows_without_ext HTTP/1.1\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\r\n
+hello\r\n
+0 \r\n
+\r\n
diff --git a/tests/requests/invalid/chunked_09.py b/tests/requests/invalid/chunked_09.py
@@ -0,0 +1,2 @@
+from gunicorn.http.errors import InvalidChunkSize
+request = InvalidChunkSize
diff --git a/tests/requests/invalid/chunked_10.http b/tests/requests/invalid/chunked_10.http
@@ -0,0 +1,7 @@
+POST /chunked_ows_before HTTP/1.1\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\r\n
+hello\r\n
+ 0\r\n
+\r\n
diff --git a/tests/requests/invalid/chunked_10.py b/tests/requests/invalid/chunked_10.py
@@ -0,0 +1,2 @@
+from gunicorn.http.errors import InvalidChunkSize
+request = InvalidChunkSize
diff --git a/tests/requests/invalid/chunked_11.http b/tests/requests/invalid/chunked_11.http
@@ -0,0 +1,7 @@
+POST /chunked_ows_before HTTP/1.1\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\n;\r\n
+hello\r\n
+0\r\n
+\r\n
diff --git a/tests/requests/invalid/chunked_11.py b/tests/requests/invalid/chunked_11.py
@@ -0,0 +1,2 @@
+from gunicorn.http.errors import InvalidChunkSize
+request = InvalidChunkSize
diff --git a/tests/requests/valid/025.http b/tests/requests/valid/025.http
@@ -3,7 +3,7 @@ Transfer-Encoding: chunked\r\n
 \r\n
 5; some; parameters=stuff\r\n
 hello\r\n
-6; blahblah; blah\r\n
+6 \t;\tblahblah; blah\r\n
  world\r\n
 0\r\n
 \r\n

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+from gunicorn.http.errors import InvalidChunkSize`
	`2`	`+request = InvalidChunkSize`