From f605125067562174920206e57cb589d31e2afb4b Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 16 Feb 2021 11:49:28 +0100
Subject: [PATCH] fix(http1): fix server misinterpretting multiple
 Transfer-Encoding headers

When a request arrived with multiple `Transfer-Encoding` headers, hyper
would check each if they ended with `chunked`. It should have only
checked if the *last* header ended with `chunked`.

See GHSA-6hfq-h8hq-87mf
---
 src/proto/h1/role.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/proto/h1/role.rs b/src/proto/h1/role.rs
index 902f93beaf..7193e1c573 100644
--- a/src/proto/h1/role.rs
+++ b/src/proto/h1/role.rs
@@ -170,6 +170,8 @@ impl Http1Transaction for Server {
                     if headers::is_chunked_(&value) {
                         is_te_chunked = true;
                         decoder = DecodedLength::CHUNKED;
+                    } else {
+                        is_te_chunked = false;
                     }
                 },
                 header::CONTENT_LENGTH => {
@@ -1226,6 +1228,15 @@ mod tests {
             \r\n\
         ", "transfer-encoding doesn't end in chunked");
 
+        parse_err(
+            "\
+             POST / HTTP/1.1\r\n\
+             transfer-encoding: chunked\r\n\
+             transfer-encoding: afterlol\r\n\
+             \r\n\
+             ",
+            "transfer-encoding multiple lines doesn't end in chunked",
+        );
 
         // http/1.0