sub input_prepare {
my ($self, $env) = @_;
- my $input;
- my $len = $env->{CONTENT_LENGTH};
- if ($len) {
- if ($len > $MAX_REQUEST_BUFFER) {
- quit($self, 413);
- return;
- }
- $input = input_tmpfile($self);
- } elsif (env_chunked($env)) {
+ my ($input, $len);
+
+ # rfc 7230 3.3.2, 3.3.3,: favor Transfer-Encoding over Content-Length
+ my $hte = $env->{HTTP_TRANSFER_ENCODING};
+ if (defined $hte) {
+ # rfc7230 3.3.3, point 3 says only chunked is accepted
+ # as the final encoding. Since neither public-inbox-httpd,
+ # git-http-backend, or our WWW-related code uses "gzip",
+ # "deflate" or "compress" as the Transfer-Encoding, we'll
+ # reject them:
+ return quit($self, 400) if $hte !~ /\Achunked\z/i;
+
$len = CHUNK_START;
$input = input_tmpfile($self);
} else {
- $input = $null_io;
+ $len = $env->{CONTENT_LENGTH};
+ if (defined $len) {
+ # rfc7230 3.3.3.4
+ return quit($self, 400) if $len !~ /\A[0-9]+\z/;
+
+ return quit($self, 413) if $len > $MAX_REQUEST_BUFFER;
+ $input = $len ? input_tmpfile($self) : $null_io;
+ } else {
+ $input = $null_io;
+ }
}
# TODO: expire idle clients on ENFILE / EMFILE
$self->{input_left} = $len || 0;
}
-sub env_chunked { ($_[0]->{HTTP_TRANSFER_ENCODING} || '') =~ /\bchunked\b/i }
+sub env_chunked { ($_[0]->{HTTP_TRANSFER_ENCODING} // '') =~ /\Achunked\z/i }
sub err ($$) {
eval { $_[0]->{httpd}->{env}->{'psgi.errors'}->print($_[1]."\n") };
my $h = "HTTP/1.1 $status " . status_message($status) . "\r\n\r\n";
$self->write(\$h);
$self->close;
+ undef; # input_prepare expects this
}
sub close {
like($head, qr/\b413\b/, 'got 413 response');
}
+{
+ my $conn = conn_for($sock, '1.1 Transfer-Encoding bogus');
+ $conn->write("PUT /sha1 HTTP/1.1\r\nTransfer-Encoding: bogus\r\n\r\n");
+ $conn->read(my $buf, 4096);
+ like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on bogus TE');
+}
+{
+ my $conn = conn_for($sock, '1.1 Content-Length bogus');
+ $conn->write("PUT /sha1 HTTP/1.1\r\nContent-Length: 3.3\r\n\r\n");
+ $conn->read(my $buf, 4096);
+ like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on bad length');
+}
+
+{
+ my $req = "PUT /sha1 HTTP/1.1\r\nContent-Length: 3\r\n" .
+ "Content-Length: 3\r\n\r\n";
+ # this is stricter than it needs to be. Due to the way
+ # Plack::HTTPParser, PSGI specs, and how hash tables work in common
+ # languages; it's not possible to tell the difference between folded
+ # and intentionally bad commas (e.g. "Content-Length: 3, 3")
+ if (0) {
+ require Plack::HTTPParser; # XS or pure Perl
+ require Data::Dumper;
+ Plack::HTTPParser::parse_http_request($req, my $env = {});
+ diag Data::Dumper::Dumper($env); # "Content-Length: 3, 3"
+ }
+ my $conn = conn_for($sock, '1.1 Content-Length dupe');
+ $conn->write($req);
+ $conn->read(my $buf, 4096);
+ like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on dupe length');
+}
+
{
my $conn = conn_for($sock, 'chunk with pipeline');
my $n = 10;