deno icon indicating copy to clipboard operation
deno copied to clipboard
verified publisher icon denoland

HTTP/1.1: Chunked message bodies incorrectly terminated on `\r\n\r\n` instead of `0\r\n\r\n`

Open kenballus opened this issue 1 year ago • 2 comments

Version

deno 1.44.4 (debug, x86_64-unknown-linux-gnu)
v8 12.7.224.9
typescript 5.5.2

Description

Deno HTTP/1.1 servers allow chunked message bodies to be terminated by \r\n\r\n alone (i.e., not 0\r\n\r\n).

To reproduce

  1. Run a Deno HTTP server that echos back message bodies, such as this one.
  2. Send it a chunked request that's missing the final chunk-size, and extract the echoed message body:
printf 'POST / HTTP/1.1\r\nHost: whatever\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n\r\n\r\n' \
    | timeout 1 nc localhost 80 \
    | grep '"body"' \
    | jq '.["body"]' \
    | xargs echo \
    | base64 -d \
    | xxd
  1. Observe that Deno interprets the message body as Z.
00000000: 5a                                       Z

Suggested fix

Respond 400 to requests with invalid chunked message bodies. This is what nearly all other HTTP implementations do, including AIOHTTP, Apache httpd, Cheroot, FastHTTP, Go net/http, Gunicorn, H2O, HAProxy, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, Puma, Tomcat, Twisted, Uvicorn, and WEBrick do.

kenballus avatar Jul 06 '24 20:07 kenballus

Will be fixed by https://github.com/hyperium/hyper/pull/3698

lucacasonato avatar Jul 09 '24 13:07 lucacasonato

Need to land https://github.com/denoland/deno/pull/24237 first.

bartlomieju avatar Jul 11 '24 00:07 bartlomieju