mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 15:48:49 -05:00
HTTP: bail out on negative Content-Length: values
... and make the max filesize check trigger if the value is too big. Updates test 178. Reported-by: Brad Spencer Fixes #2212 Closes #2223
This commit is contained in:
parent
0616dfa1e0
commit
f68e672715
44
lib/http.c
44
lib/http.c
@ -5,7 +5,7 @@
|
||||
* | (__| |_| | _ <| |___
|
||||
* \___|\___/|_| \_\_____|
|
||||
*
|
||||
* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
*
|
||||
* This software is licensed as described in the file COPYING, which
|
||||
* you should have received as part of this distribution. The terms
|
||||
@ -3505,31 +3505,35 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
|
||||
if(!k->ignorecl && !data->set.ignorecl &&
|
||||
checkprefix("Content-Length:", k->p)) {
|
||||
curl_off_t contentlength;
|
||||
if(!curlx_strtoofft(k->p + 15, NULL, 10, &contentlength)) {
|
||||
CURLofft offt = curlx_strtoofft(k->p + 15, NULL, 10, &contentlength);
|
||||
|
||||
if(offt == CURL_OFFT_OK) {
|
||||
if(data->set.max_filesize &&
|
||||
contentlength > data->set.max_filesize) {
|
||||
failf(data, "Maximum file size exceeded");
|
||||
return CURLE_FILESIZE_EXCEEDED;
|
||||
}
|
||||
if(contentlength >= 0) {
|
||||
k->size = contentlength;
|
||||
k->maxdownload = k->size;
|
||||
/* we set the progress download size already at this point
|
||||
just to make it easier for apps/callbacks to extract this
|
||||
info as soon as possible */
|
||||
Curl_pgrsSetDownloadSize(data, k->size);
|
||||
}
|
||||
else {
|
||||
/* Negative Content-Length is really odd, and we know it
|
||||
happens for example when older Apache servers send large
|
||||
files */
|
||||
streamclose(conn, "negative content-length");
|
||||
infof(data, "Negative content-length: %" CURL_FORMAT_CURL_OFF_T
|
||||
", closing after transfer\n", contentlength);
|
||||
}
|
||||
k->size = contentlength;
|
||||
k->maxdownload = k->size;
|
||||
/* we set the progress download size already at this point
|
||||
just to make it easier for apps/callbacks to extract this
|
||||
info as soon as possible */
|
||||
Curl_pgrsSetDownloadSize(data, k->size);
|
||||
}
|
||||
else if(offt == CURL_OFFT_FLOW) {
|
||||
/* out of range */
|
||||
if(data->set.max_filesize) {
|
||||
failf(data, "Maximum file size exceeded");
|
||||
return CURLE_FILESIZE_EXCEEDED;
|
||||
}
|
||||
streamclose(conn, "overflow content-length");
|
||||
infof(data, "Overflow Content-Length: value!\n");
|
||||
}
|
||||
else {
|
||||
/* negative or just rubbish - bad HTTP */
|
||||
failf(data, "Invalid Content-Length: value");
|
||||
return CURLE_WEIRD_SERVER_REPLY;
|
||||
}
|
||||
else
|
||||
infof(data, "Illegal Content-Length: header\n");
|
||||
}
|
||||
/* check for Content-Type: header lines to get the MIME-type */
|
||||
else if(checkprefix("Content-Type:", k->p)) {
|
||||
|
@ -18,6 +18,10 @@ Funny-head: yesyes
|
||||
|
||||
moooooooooooo
|
||||
</data>
|
||||
<datacheck>
|
||||
HTTP/1.1 200 OK swsclose
|
||||
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||
</datacheck>
|
||||
</reply>
|
||||
|
||||
#
|
||||
@ -27,7 +31,7 @@ moooooooooooo
|
||||
http
|
||||
</server>
|
||||
<name>
|
||||
simple HTTP GET with negative Content-Length
|
||||
HTTP response with negative Content-Length
|
||||
</name>
|
||||
<command>
|
||||
http://%HOSTIP:%HTTPPORT/178
|
||||
@ -46,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
|
||||
Accept: */*
|
||||
|
||||
</protocol>
|
||||
<errorcode>
|
||||
8
|
||||
</errorcode>
|
||||
</verify>
|
||||
</testcase>
|
||||
|
Loading…
Reference in New Issue
Block a user