fix/drop content length when chunked (#234)

pintsized · web-flow · commit d7f636c28c12 · 2021-03-29T11:38:38.000+01:00
* Make flakey test a little less flakey * Ensure Content-Length is dropped if Transfer-Encoding is specified https://tools.ietf.org/html/rfc7230#section-3.3.3
diff --git a/lib/resty/http.lua b/lib/resty/http.lua
@@ -659,28 +659,37 @@ function _M.send_request(self, params)
         headers["Proxy-Authorization"] = self.http_proxy_auth
     end
 
-    -- Ensure minimal headers are set
+    -- Ensure we have appropriate message length or encoding.
+    do
+        local is_chunked = transfer_encoding_is_chunked(headers)
+
+        if is_chunked then
+            -- If we have both Transfer-Encoding and Content-Length we MUST
+            -- drop the Content-Length, to help prevent request smuggling.
+            -- https://tools.ietf.org/html/rfc7230#section-3.3.3
+            headers["Content-Length"] = nil
 
-    if not headers["Content-Length"] then
-        local body_type = type(body)
+        elseif not headers["Content-Length"] then
+            -- A length was not given, try to calculate one.
 
-        if body_type == "function" then
-            if not transfer_encoding_is_chunked(headers) then
+            local body_type = type(body)
+
+            if body_type == "function" then
                 return nil, "Request body is a function but a length or chunked encoding is not specified"
-            end
 
-        elseif body_type == "table" then
-            local length = 0
-            for _, v in ipairs(body) do
-                length = length + #tostring(v)
-            end
-            headers["Content-Length"] = length
+            elseif body_type == "table" then
+                local length = 0
+                for _, v in ipairs(body) do
+                    length = length + #tostring(v)
+                end
+                headers["Content-Length"] = length
 
-        elseif body == nil and EXPECTING_BODY[str_upper(params.method)] then
-            headers["Content-Length"] = 0
+            elseif body == nil and EXPECTING_BODY[str_upper(params.method)] then
+                headers["Content-Length"] = 0
 
-        elseif body ~= nil then
-            headers["Content-Length"] = #tostring(body)
+            elseif body ~= nil then
+                headers["Content-Length"] = #tostring(body)
+            end
         end
     end
 
diff --git a/t/02-chunked.t b/t/02-chunked.t
@@ -263,10 +263,62 @@ table
             headers["Transfer-Encoding"] = { "chunked", " ChuNkEd " }
             assert(http.transfer_encoding_is_chunked(headers) == true,
                 "te set to table values containing `chunked` should return true`")
+
+            headers["Transfer-Encoding"] = "chunked"
+            headers["Content-Length"] = 10
+            assert(http.transfer_encoding_is_chunked(headers) == true,
+                "transfer encoding should override content-length`")
+        }
+    }
+--- request
+GET /a
+--- no_error_log
+[error]
+[warn]
+
+
+=== TEST 6: Don't send Content-Length if Transfer-Encoding is specified
+--- http_config eval: $::HttpConfig
+--- config
+    location = /a {
+        content_by_lua_block {
+            local httpc = require("resty.http").new()
+            local yield = coroutine.yield
+
+            local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/b"
+
+            local res, err = assert(httpc:request_uri(uri, {
+                body = coroutine.wrap(function()
+                    yield("3\r\n")
+                    yield("foo\r\n")
+
+                    yield("3\r\n")
+                    yield("bar\r\n")
+
+                    yield("0\r\n")
+                    yield("\r\n")
+                end),
+                headers = {
+                    ["Transfer-Encoding"] = "chunked",
+                    ["Content-Length"] = 42,
+                },
+            }))
+
+            ngx.say(res.body)
+        }
+    }
+    location = /b {
+        content_by_lua_block {
+            ngx.req.read_body()
+            ngx.say(ngx.req.get_headers()["Content-Length"])
+            ngx.print(ngx.req.get_body_data())
         }
     }
 --- request
 GET /a
+--- response_body
+nil
+foobar
 --- no_error_log
 [error]
 [warn]
diff --git a/t/14-host-header.t b/t/14-host-header.t
@@ -67,6 +67,7 @@ Host: www.google.com
             local http = require "resty.http"
             local httpc = http.new()
 
+            httpc:set_timeouts(300, 1000, 1000)
             local res, err = httpc:request_uri("https://www.google.com:443", { ssl_verify = false })
         ';
     }

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ Host: www.google.com`
`67`	`67`	`local http = require "resty.http"`
`68`	`68`	`local httpc = http.new()`
`69`	`69`
	`70`	`+ httpc:set_timeouts(300, 1000, 1000)`
`70`	`71`	`local res, err = httpc:request_uri("https://www.google.com:443", { ssl_verify = false })`
`71`	`72`	`';`
`72`	`73`	`}`