Return 400 response for chunked requests with unexpected data after c…

…hunk Fixes #133
ruby · Jul 14, 2024 · 15a9391 · 15a9391
1 parent 2b38d56
commit 15a9391
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
@@ -574,7 +574,11 @@ def read_chunked(socket, block)
           block.call(data)
         end while (chunk_size -= sz) > 0
 
-        read_line(socket)                    # skip CRLF
+        line = read_line(socket)              # skip CRLF
+        unless line == "\r\n"
+          raise HTTPStatus::BadRequest, "extra data after chunk `#{line}'."
+        end
+
         chunk_size, = read_chunk_size(socket)
       end
       read_header(socket)                    # trailer + CRLF

diff --git a/test/webrick/test_httprequest.rb b/test/webrick/test_httprequest.rb
@@ -423,6 +423,29 @@ def test_bad_chunked
     end
   end
 
+  def test_bad_chunked_extra_data
+    msg = <<~HTTP
+      POST /path HTTP/1.1\r
+      Transfer-Encoding: chunked\r
+      \r
+      3\r
+      ABCthis-all-gets-ignored\r
+      0\r
+      \r
+    HTTP
+    req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+    req.parse(StringIO.new(msg))
+    assert_raise(WEBrick::HTTPStatus::BadRequest){ req.body }
+
+    # chunked req.body_reader
+    req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+    req.parse(StringIO.new(msg))
+    dst = StringIO.new
+    assert_raise(WEBrick::HTTPStatus::BadRequest) do
+      IO.copy_stream(req.body_reader, dst)
+    end
+  end
+
   def test_null_byte_in_header
     msg = <<~HTTP.gsub("\n", "\r\n")
       POST /path HTTP/1.1\r