登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 21

lishiyangasdf / squid

forked from src-openEuler / squid 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
CVE-2020-15811.patch 6.64 KB
一键复制 编辑 原始数据 按行查看 历史
guoxiaoqi 提交于 2021-03-17 14:04 . fix CVE-2020-14058,CVE-2020-15049,CVE-2020-15810,CVE-2020-15811,CVE-2020-24606
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
From fd68382860633aca92065e6c343cfd1b12b126e7 Mon Sep 17 00:00:00 2001

From: Amos Jeffries <yadij@users.noreply.github.com>

Date: Sun, 16 Aug 2020 02:21:22 +0000

Subject: [PATCH] Improve Transfer-Encoding handling (#702)



Reject messages containing Transfer-Encoding header with coding other

than chunked or identity. Squid does not support other codings.



For simplicity and security sake, also reject messages where

Transfer-Encoding contains unnecessary complex values that are

technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or

"identity, chunked").



RFC 7230 formally deprecated and removed identity coding, but it is

still used by some agents.

---

 src/HttpHeader.cc  | 16 +++++++++++++++-

 src/HttpHeader.h   | 18 ++++++++++--------

 src/client_side.cc | 11 ++---------

 src/http.cc        |  3 +++

 4 files changed, 30 insertions(+), 18 deletions(-)



diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc

index 80c23458eb..f30802eb79 100644

--- a/src/HttpHeader.cc

+++ b/src/HttpHeader.cc

@@ -174,6 +174,7 @@ HttpHeader::operator =(const HttpHeader &other)

         update(&other); // will update the mask as well

         len = other.len;

         conflictingContentLength_ = other.conflictingContentLength_;

+        teUnsupported_ = other.teUnsupported_;

     }

     return *this;

 }

@@ -222,6 +223,7 @@ HttpHeader::clean()

     httpHeaderMaskInit(&mask, 0);

     len = 0;

     conflictingContentLength_ = false;

+    teUnsupported_ = false;

     PROF_stop(HttpHeaderClean);

 }

 

@@ -471,11 +473,23 @@ HttpHeader::parse(const char *header_start, size_t hdrLen)

                Raw("header", header_start, hdrLen));

     }

 

-    if (chunked()) {

+    String rawTe;

+    if (getByIdIfPresent(Http::HdrType::TRANSFER_ENCODING, &rawTe)) {

         // RFC 2616 section 4.4: ignore Content-Length with Transfer-Encoding

         // RFC 7230 section 3.3.3 #3: Transfer-Encoding overwrites Content-Length

         delById(Http::HdrType::CONTENT_LENGTH);

         // and clen state becomes irrelevant

+

+        if (rawTe == "chunked") {

+            ; // leave header present for chunked() method

+        } else if (rawTe == "identity") { // deprecated. no coding

+            delById(Http::HdrType::TRANSFER_ENCODING);

+        } else {

+            // This also rejects multiple encodings until we support them properly.

+            debugs(55, warnOnError, "WARNING: unsupported Transfer-Encoding used by client: " << rawTe);

+            teUnsupported_ = true;

+        }

+

     } else if (clen.sawBad) {

         // ensure our callers do not accidentally see bad Content-Length values

         delById(Http::HdrType::CONTENT_LENGTH);

diff --git a/src/HttpHeader.h b/src/HttpHeader.h

index e3553a4e4d..64f294a50a 100644

--- a/src/HttpHeader.h

+++ b/src/HttpHeader.h

@@ -140,7 +140,13 @@ class HttpHeader

     int hasListMember(Http::HdrType id, const char *member, const char separator) const;

     int hasByNameListMember(const char *name, const char *member, const char separator) const;

     void removeHopByHopEntries();

-    inline bool chunked() const; ///< whether message uses chunked Transfer-Encoding

+

+    /// whether the message uses chunked Transfer-Encoding

+    /// optimized implementation relies on us rejecting/removing other codings

+    bool chunked() const { return has(Http::HdrType::TRANSFER_ENCODING); }

+

+    /// whether message used an unsupported and/or invalid Transfer-Encoding

+    bool unsupportedTe() const { return teUnsupported_; }

 

     /* protected, do not use these, use interface functions instead */

     std::vector<HttpHeaderEntry *> entries;     /**< parsed fields in raw format */

@@ -158,6 +164,9 @@ class HttpHeader

 private:

     HttpHeaderEntry *findLastEntry(Http::HdrType id) const;

     bool conflictingContentLength_; ///< found different Content-Length fields

+    /// unsupported encoding, unnecessary syntax characters, and/or

+    /// invalid field-value found in Transfer-Encoding header

+    bool teUnsupported_ = false;

 };

 

 int httpHeaderParseQuotedString(const char *start, const int len, String *val);

@@ -167,13 +176,6 @@ SBuf httpHeaderQuoteString(const char *raw);

 

 void httpHeaderCalcMask(HttpHeaderMask * mask, Http::HdrType http_hdr_type_enums[], size_t count);

 

-inline bool

-HttpHeader::chunked() const

-{

-    return has(Http::HdrType::TRANSFER_ENCODING) &&

-           hasListMember(Http::HdrType::TRANSFER_ENCODING, "chunked", ',');

-}

-

 void httpHeaderInitModule(void);

 

 #endif /* SQUID_HTTPHEADER_H */

diff --git a/src/client_side.cc b/src/client_side.cc

index f7038ba983..547b0ca723 100644

--- a/src/client_side.cc

+++ b/src/client_side.cc

@@ -1600,9 +1600,7 @@ void

 clientProcessRequest(ConnStateData *conn, const Http1::RequestParserPointer &hp, Http::Stream *context)

 {

     ClientHttpRequest *http = context->http;

-    bool chunked = false;

     bool mustReplyToOptions = false;

-    bool unsupportedTe = false;

     bool expectBody = false;

 

     // We already have the request parsed and checked, so we

@@ -1659,13 +1657,7 @@ clientProcessRequest(ConnStateData *conn, const Http1::RequestParserPointer &hp,

         request->http_ver.minor = http_ver.minor;

     }

 

-    if (request->header.chunked()) {

-        chunked = true;

-    } else if (request->header.has(Http::HdrType::TRANSFER_ENCODING)) {

-        const String te = request->header.getList(Http::HdrType::TRANSFER_ENCODING);

-        // HTTP/1.1 requires chunking to be the last encoding if there is one

-        unsupportedTe = te.size() && te != "identity";

-    } // else implied identity coding

+    const auto unsupportedTe = request->header.unsupportedTe();

 

     mustReplyToOptions = (request->method == Http::METHOD_OPTIONS) &&

                          (request->header.getInt64(Http::HdrType::MAX_FORWARDS) == 0);

@@ -1682,6 +1674,7 @@ clientProcessRequest(ConnStateData *conn, const Http1::RequestParserPointer &hp,

         return;

     }

 

+    const auto chunked = request->header.chunked();

     if (!chunked && !clientIsContentLengthValid(request.getRaw())) {

         clientStreamNode *node = context->getClientReplyContext();

         clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());

diff --git a/src/http.cc b/src/http.cc

index 53f428a4d2..79ab2cf226 100644

--- a/src/http.cc

+++ b/src/http.cc

@@ -1292,6 +1292,9 @@ HttpStateData::continueAfterParsingHeader()

             } else if (vrep->header.conflictingContentLength()) {

                 fwd->dontRetry(true);

                 error = ERR_INVALID_RESP;

+            } else if (vrep->header.unsupportedTe()) {

+                fwd->dontRetry(true);

+                error = ERR_INVALID_RESP;

             } else {

                 return true; // done parsing, got reply, and no error

             }
1
https://gitee.com/lishiyangasdf/squid.git
git@gitee.com:lishiyangasdf/squid.git
lishiyangasdf
squid
squid
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部