search

denoland / deno

A modern runtime for JavaScript and TypeScript.
https://deno.com
MIT License
98.16k stars 5.4k forks source link

HTTP/1.1: Chunked message bodies incorrectly terminated on `\r\n\r\n` instead of `0\r\n\r\n` #24455

Open kenballus opened 4 months ago

kenballus commented 4 months ago

Version

deno 1.44.4 (debug, x86_64-unknown-linux-gnu)
v8 12.7.224.9
typescript 5.5.2

Description

Deno HTTP/1.1 servers allow chunked message bodies to be terminated by \r\n\r\n alone (i.e., not 0\r\n\r\n).

To reproduce

  1. Run a Deno HTTP server that echos back message bodies, such as this one.
  2. Send it a chunked request that's missing the final chunk-size, and extract the echoed message body: 
    printf 'POST / HTTP/1.1\r\nHost: whatever\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n\r\n\r\n' \
| timeout 1 nc localhost 80 \
| grep '"body"' \
| jq '.["body"]' \
| xargs echo \
| base64 -d \
| xxd
  3. Observe that Deno interprets the message body as Z. 
    00000000: 5a                                       Z

Suggested fix

Respond 400 to requests with invalid chunked message bodies. This is what nearly all other HTTP implementations do, including AIOHTTP, Apache httpd, Cheroot, FastHTTP, Go net/http, Gunicorn, H2O, HAProxy, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, Puma, Tomcat, Twisted, Uvicorn, and WEBrick do.

lucacasonato commented 4 months ago

Will be fixed by https://github.com/hyperium/hyper/pull/3698

bartlomieju commented 4 months ago

Need to land https://github.com/denoland/deno/pull/24237 first.