moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

HTTP: bail out on negative Content-Length: values 

... and make the max filesize check trigger if the value is too big.

Updates test 178.

Reported-by: Brad Spencer
Fixes #2212
Closes #2223
This commit is contained in:
Daniel Stenberg 2018-01-09 17:24:48 +13:00
parent 0616dfa1e0
commit f68e672715
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 32 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
lib/http.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -3505,31 +3505,35 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
if(!k->ignorecl && !data->set.ignorecl && if(!k->ignorecl && !data->set.ignorecl &&
checkprefix("Content-Length:", k->p)) { checkprefix("Content-Length:", k->p)) {
curl_off_t contentlength; curl_off_t contentlength;
if(!curlx_strtoofft(k->p + 15, NULL, 10, &contentlength)) { CURLofft offt = curlx_strtoofft(k->p + 15, NULL, 10, &contentlength);
if(offt == CURL_OFFT_OK) {
if(data->set.max_filesize && if(data->set.max_filesize &&
contentlength > data->set.max_filesize) { contentlength > data->set.max_filesize) {
failf(data, "Maximum file size exceeded"); failf(data, "Maximum file size exceeded");
return CURLE_FILESIZE_EXCEEDED; return CURLE_FILESIZE_EXCEEDED;
} }
if(contentlength >= 0) { k->size = contentlength;
k->size = contentlength; k->maxdownload = k->size;
k->maxdownload = k->size; /* we set the progress download size already at this point
/* we set the progress download size already at this point just to make it easier for apps/callbacks to extract this
just to make it easier for apps/callbacks to extract this info as soon as possible */
info as soon as possible */ Curl_pgrsSetDownloadSize(data, k->size);
Curl_pgrsSetDownloadSize(data, k->size); }
} else if(offt == CURL_OFFT_FLOW) {
else { /* out of range */
/* Negative Content-Length is really odd, and we know it if(data->set.max_filesize) {
happens for example when older Apache servers send large failf(data, "Maximum file size exceeded");
files */ return CURLE_FILESIZE_EXCEEDED;
streamclose(conn, "negative content-length"); }
infof(data, "Negative content-length: %" CURL_FORMAT_CURL_OFF_T streamclose(conn, "overflow content-length");
", closing after transfer\n", contentlength); infof(data, "Overflow Content-Length: value!\n");
} }
else {
/* negative or just rubbish - bad HTTP */
failf(data, "Invalid Content-Length: value");
return CURLE_WEIRD_SERVER_REPLY;
} }
else
infof(data, "Illegal Content-Length: header\n");
} }
/* check for Content-Type: header lines to get the MIME-type */ /* check for Content-Type: header lines to get the MIME-type */
else if(checkprefix("Content-Type:", k->p)) { else if(checkprefix("Content-Type:", k->p)) {

9
tests/data/test178
View File

@ -18,6 +18,10 @@ Funny-head: yesyes
moooooooooooo moooooooooooo
</data> </data>
<datacheck>
HTTP/1.1 200 OK swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
</datacheck>
</reply> </reply>
# #
@ -27,7 +31,7 @@ moooooooooooo
http http
</server> </server>
<name> <name>
simple HTTP GET with negative Content-Length HTTP response with negative Content-Length
</name> </name>
<command> <command>
http://%HOSTIP:%HTTPPORT/178 http://%HOSTIP:%HTTPPORT/178
@ -46,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
Accept: */* Accept: */*
</protocol> </protocol>
<errorcode>
8
</errorcode>
</verify> </verify>
</testcase> </testcase>