mirror of https://github.com/moparisthebest/curl
HTTP: bail out on negative Content-Length: values
... and make the max filesize check trigger if the value is too big. Updates test 178. Reported-by: Brad Spencer Fixes #2212 Closes #2223
This commit is contained in:
parent
0616dfa1e0
commit
f68e672715
44
lib/http.c
44
lib/http.c
|
@ -5,7 +5,7 @@
|
||||||
* | (__| |_| | _ <| |___
|
* | (__| |_| | _ <| |___
|
||||||
* \___|\___/|_| \_\_____|
|
* \___|\___/|_| \_\_____|
|
||||||
*
|
*
|
||||||
* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
* Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
*
|
*
|
||||||
* This software is licensed as described in the file COPYING, which
|
* This software is licensed as described in the file COPYING, which
|
||||||
* you should have received as part of this distribution. The terms
|
* you should have received as part of this distribution. The terms
|
||||||
|
@ -3505,31 +3505,35 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
|
||||||
if(!k->ignorecl && !data->set.ignorecl &&
|
if(!k->ignorecl && !data->set.ignorecl &&
|
||||||
checkprefix("Content-Length:", k->p)) {
|
checkprefix("Content-Length:", k->p)) {
|
||||||
curl_off_t contentlength;
|
curl_off_t contentlength;
|
||||||
if(!curlx_strtoofft(k->p + 15, NULL, 10, &contentlength)) {
|
CURLofft offt = curlx_strtoofft(k->p + 15, NULL, 10, &contentlength);
|
||||||
|
|
||||||
|
if(offt == CURL_OFFT_OK) {
|
||||||
if(data->set.max_filesize &&
|
if(data->set.max_filesize &&
|
||||||
contentlength > data->set.max_filesize) {
|
contentlength > data->set.max_filesize) {
|
||||||
failf(data, "Maximum file size exceeded");
|
failf(data, "Maximum file size exceeded");
|
||||||
return CURLE_FILESIZE_EXCEEDED;
|
return CURLE_FILESIZE_EXCEEDED;
|
||||||
}
|
}
|
||||||
if(contentlength >= 0) {
|
k->size = contentlength;
|
||||||
k->size = contentlength;
|
k->maxdownload = k->size;
|
||||||
k->maxdownload = k->size;
|
/* we set the progress download size already at this point
|
||||||
/* we set the progress download size already at this point
|
just to make it easier for apps/callbacks to extract this
|
||||||
just to make it easier for apps/callbacks to extract this
|
info as soon as possible */
|
||||||
info as soon as possible */
|
Curl_pgrsSetDownloadSize(data, k->size);
|
||||||
Curl_pgrsSetDownloadSize(data, k->size);
|
}
|
||||||
}
|
else if(offt == CURL_OFFT_FLOW) {
|
||||||
else {
|
/* out of range */
|
||||||
/* Negative Content-Length is really odd, and we know it
|
if(data->set.max_filesize) {
|
||||||
happens for example when older Apache servers send large
|
failf(data, "Maximum file size exceeded");
|
||||||
files */
|
return CURLE_FILESIZE_EXCEEDED;
|
||||||
streamclose(conn, "negative content-length");
|
}
|
||||||
infof(data, "Negative content-length: %" CURL_FORMAT_CURL_OFF_T
|
streamclose(conn, "overflow content-length");
|
||||||
", closing after transfer\n", contentlength);
|
infof(data, "Overflow Content-Length: value!\n");
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
/* negative or just rubbish - bad HTTP */
|
||||||
|
failf(data, "Invalid Content-Length: value");
|
||||||
|
return CURLE_WEIRD_SERVER_REPLY;
|
||||||
}
|
}
|
||||||
else
|
|
||||||
infof(data, "Illegal Content-Length: header\n");
|
|
||||||
}
|
}
|
||||||
/* check for Content-Type: header lines to get the MIME-type */
|
/* check for Content-Type: header lines to get the MIME-type */
|
||||||
else if(checkprefix("Content-Type:", k->p)) {
|
else if(checkprefix("Content-Type:", k->p)) {
|
||||||
|
|
|
@ -18,6 +18,10 @@ Funny-head: yesyes
|
||||||
|
|
||||||
moooooooooooo
|
moooooooooooo
|
||||||
</data>
|
</data>
|
||||||
|
<datacheck>
|
||||||
|
HTTP/1.1 200 OK swsclose
|
||||||
|
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
</datacheck>
|
||||||
</reply>
|
</reply>
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -27,7 +31,7 @@ moooooooooooo
|
||||||
http
|
http
|
||||||
</server>
|
</server>
|
||||||
<name>
|
<name>
|
||||||
simple HTTP GET with negative Content-Length
|
HTTP response with negative Content-Length
|
||||||
</name>
|
</name>
|
||||||
<command>
|
<command>
|
||||||
http://%HOSTIP:%HTTPPORT/178
|
http://%HOSTIP:%HTTPPORT/178
|
||||||
|
@ -46,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
|
||||||
Accept: */*
|
Accept: */*
|
||||||
|
|
||||||
</protocol>
|
</protocol>
|
||||||
|
<errorcode>
|
||||||
|
8
|
||||||
|
</errorcode>
|
||||||
</verify>
|
</verify>
|
||||||
</testcase>
|
</testcase>
|
||||||
|
|
Loading…
Reference in New Issue