uhttpd incorrectly terminates chunked message bodies on `\r\n\r\n` instead of `0\r\n\r\n`.

openwrt / uhttpd

[MIRROR] Tiny HTTP server

https://git.openwrt.org/?p=project/uhttpd.git;

11 stars 7 forks source link

uhttpd incorrectly terminates chunked message bodies on `\r\n\r\n` instead of `0\r\n\r\n`. #10

Open kenballus opened 4 months ago

kenballus commented 4 months ago

When uhttpd receives a request with a chunked message body that is missing the final chunk size of 0, it treats the request as valid even though it should be rejected.

For example, uhttpd incorrectly accepts the following request:

POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
1\r\n
Z\r\n
\r\n
\r\n

kenballus commented 4 months ago

Further, it seems that uhttpd does not validate of the final chunk size, even if it is present. For example, the following request is accepted:

POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
1\r\n
Z\r\n
INVALID!!!\r\n
\r\n