uhttpd incorrectly terminates chunked message bodies on `\r\n\r\n` instead of `0\r\n\r\n`.

openwrt / uhttpd

[MIRROR] Tiny HTTP server

https://git.openwrt.org/?p=project/uhttpd.git;

9 stars 6 forks source link

uhttpd incorrectly terminates chunked message bodies on `\r\n\r\n` instead of `0\r\n\r\n`. #10

Open kenballus opened 1 month ago

kenballus commented 1 month ago

When uhttpd receives a request with a chunked message body that is missing the final chunk size of 0, it treats the request as valid even though it should be rejected.

For example, uhttpd incorrectly accepts the following request:

POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
1\r\n
Z\r\n
\r\n
\r\n

kenballus commented 1 month ago

Further, it seems that uhttpd does not validate of the final chunk size, even if it is present. For example, the following request is accepted:

POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
1\r\n
Z\r\n
INVALID!!!\r\n
\r\n