Unverified Commit f68e6727 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

HTTP: bail out on negative Content-Length: values 

... and make the max filesize check trigger if the value is too big.

Updates test 178.

Reported-by: Brad Spencer
Fixes #2212
Closes #2223
parent 0616dfa1

lib/http.c

+23 −19
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -3505,13 +3505,14 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
    if(!k->ignorecl && !data->set.ignorecl &&

       checkprefix("Content-Length:", k->p)) {

      curl_off_t contentlength;

      if(!curlx_strtoofft(k->p + 15, NULL, 10, &contentlength)) {

      CURLofft offt = curlx_strtoofft(k->p + 15, NULL, 10, &contentlength);



      if(offt == CURL_OFFT_OK) {

        if(data->set.max_filesize &&

           contentlength > data->set.max_filesize) {

          failf(data, "Maximum file size exceeded");

          return CURLE_FILESIZE_EXCEEDED;

        }

        if(contentlength >= 0) {

        k->size = contentlength;

        k->maxdownload = k->size;

        /* we set the progress download size already at this point
@@ -3519,17 +3520,20 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
           info as soon as possible */

        Curl_pgrsSetDownloadSize(data, k->size);

      }

        else {

          /* Negative Content-Length is really odd, and we know it

             happens for example when older Apache servers send large

             files */

          streamclose(conn, "negative content-length");

          infof(data, "Negative content-length: %" CURL_FORMAT_CURL_OFF_T

                ", closing after transfer\n", contentlength);

      else if(offt == CURL_OFFT_FLOW) {

        /* out of range */

        if(data->set.max_filesize) {

          failf(data, "Maximum file size exceeded");

          return CURLE_FILESIZE_EXCEEDED;

        }

        streamclose(conn, "overflow content-length");

        infof(data, "Overflow Content-Length: value!\n");

      }

      else {

        /* negative or just rubbish - bad HTTP */

        failf(data, "Invalid Content-Length: value");

        return CURLE_WEIRD_SERVER_REPLY;

      }

      else

        infof(data, "Illegal Content-Length: header\n");

    }

    /* check for Content-Type: header lines to get the MIME-type */

    else if(checkprefix("Content-Type:", k->p)) {

tests/data/test178

+8 −1
Original line number Diff line number Diff line
@@ -18,6 +18,10 @@ Funny-head: yesyes 


moooooooooooo

</data>

<datacheck>

HTTP/1.1 200 OK swsclose

Date: Thu, 09 Nov 2010 14:49:00 GMT

</datacheck>

</reply>



#
@@ -27,7 +31,7 @@ moooooooooooo 
http

</server>

 <name>

simple HTTP GET with negative Content-Length

HTTP response with negative Content-Length

 </name>

 <command>

http://%HOSTIP:%HTTPPORT/178
@@ -46,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT 
Accept: */*



</protocol>

<errorcode>

8

</errorcode>

</verify>

</testcase>