From: Brian Neradt <brian.neradt@gmail.com>
Date: Sat, 21 May 2022 17:28:31 +0000 (+0100)
Subject: Reject Transfer-Encoding in pre-HTTP/1.1 requests
X-Git-Tag: archive/raspbian/8.1.1+ds-1.1+rpi1+deb11u1^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fb3ff18abb6284cdaf88bfe56c966ce1ed50e82d;p=trafficserver.git

Reject Transfer-Encoding in pre-HTTP/1.1 requests

Origin: upstream
Applied-Upstream: https://github.com/apache/trafficserver/commit/e2c9ac217f24dc3e91ff2c9f52b52093e8fb32d5
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2022-05-21

Per spec, Transfer-Encoding is only supported in HTTP/1.1. For earlier
versions, we must reject Transfer-Encoding rather than interpret it
since downstream proxies may ignore the chunk header and rely upon the
Content-Length, or interpret the body some other way.  These differences
in interpretation may open up the door to compatibility issues. To
protect against this, we reply with a 4xx if the client uses
Transfer-Encoding with HTTP versions that do not support it.
Last-Update: 2022-05-21
Gbp-Pq: Name 0019-CVE_2021_37148.patch
---

diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index b34d1f02..113c8018 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -5174,6 +5174,17 @@ HttpTransact::check_request_validity(State *s, HTTPHdr *incoming_hdr)
       return BAD_CONNECT_PORT;
     }
 
+    if (s->client_info.transfer_encoding == CHUNKED_ENCODING && incoming_hdr->version_get() < HTTPVersion(1, 1)) {
+      // Per spec, Transfer-Encoding is only supported in HTTP/1.1. For earlier
+      // versions, we must reject Transfer-Encoding rather than interpret it
+      // since downstream proxies may ignore the chunk header and rely upon the
+      // Content-Length, or interpret the body some other way. These
+      // differences in interpretation may open up the door to compatibility
+      // issues. To protect against this, we reply with a 4xx if the client
+      // uses Transfer-Encoding with HTTP versions that do not support it.
+      return UNACCEPTABLE_TE_REQUIRED;
+    }
+
     // Require Content-Length/Transfer-Encoding for POST/PUSH/PUT
     if ((scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_HTTPS) &&
         (method == HTTP_WKSIDX_POST || method == HTTP_WKSIDX_PUSH || method == HTTP_WKSIDX_PUT) &&