Improper parsing of chunk lengths

[kenballus]

Description

gunicorn currently parses chunk lengths using int. This causes problems because int accepts a lot more than should be acceptable in a chunk length. The biggest problem characters are, '-', '+', and '_'.

Examples

HTTP requests in which gunicorn misinterprets a chunk length:

Underscore between digits

GET / HTTP/1.1\r\n
Transfer-Encoding: chunked\r\n
Host: a\r\n
\r\n
1_0\r\n
0123456789abcdef\r\n
0\r\n
\r\n

Plus sign prefix

GET / HTTP/1.1\r\n
Transfer-Encoding: chunked\r\n
Host: a\r\n
\r\n
+10\r\n
0123456789abcdef\r\n
0\r\n
\r\n

Minus sign prefix (only works for 0)

GET / HTTP/1.1\r\n
Transfer-Encoding: chunked\r\n
Host: a\r\n
\r\n
10\r\n
0123456789abcdef\r\n
-0\r\n
\r\n

Solution

During chunk length parsing, verify that the input is all ASCII digits.

Versions

CPython version: 3.10.11
Gunicorn version: master

Notes

This issue is identical to #2977, but for chunk lengths. Given that @jasonamyers fixed that issue, maybe he's interested in helping out with this one as well?

[benoitc]

questionI guess we should return a 400 if it's happen. Question , when did you get such message?

[kenballus]

I don't think I understand what you're asking.

I think the reasonable fix would be to change gunicorn/http/body.py to check that chunk lengths match the set of hex characters. A patch can be seen here: https://github.com/benoitc/gunicorn/pull/3059/files