From c32396c260c9b27f0b70df9e989161d641ea7ece Mon Sep 17 00:00:00 2001
From: Aron Xu <aron@debian.org>
Date: Sat, 29 Oct 2022 13:33:47 +0100
Subject: [PATCH] CVE-2021-37147

commit 5cad961c87cb07fbb8fa6890685d9878a169378d
Author: Brian Neradt <brian.neradt@gmail.com>
Date:   Wed Oct 27 11:29:43 2021 -0500

    Fix output '\n' HTTP field line endings (#8460)

    This is another attempt to fix what was initially addressed in #8096 but
    got backed out via #8305. That more extensive patch was considered too
    invasive and potentially risky.  This more targeted patch will fix
    clients that only send the \n endings but it will force the \r\n line
    ending on output.

    This was mostly in place except for header lines that get
    m_n_v_raw_printable set, which seems to be most header lines. The
    addition checks to see if the header line ends in \r\n. If it does not
    the m_n_v_raw_printable flag gets cleared and the logic that explicitly
    adds the line endings while be invoked on output.


Gbp-Pq: Name 0020-CVE-2021-37147.patch
---
 proxy/hdrs/MIME.cc | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc
index c2a22c8c..809b60dc 100644
--- a/proxy/hdrs/MIME.cc
+++ b/proxy/hdrs/MIME.cc
@@ -2638,8 +2638,17 @@ mime_parser_parse(MIMEParser *parser, HdrHeap *heap, MIMEHdrImpl *mh, const char
 
     // find_value_last
     field_value_last = line_e - 1;
+    int suffix_count = 0;
     while ((field_value_last >= field_value_first) && ParseRules::is_wslfcr(*field_value_last)) {
       --field_value_last;
+      ++suffix_count;
+    }
+
+    // Make sure the field ends in CRLF. If not, we'll fix the field via the n_v_raw_printable
+    // flag.
+    bool raw_print_field = true;
+    if (suffix_count < 2 || *(line_e - 2) != '\r' || *(line_e - 1) != '\n') {
+      raw_print_field = false;
     }
 
     field_name_length  = (int)(field_name_last - field_name_first + 1);
@@ -2676,7 +2685,7 @@ mime_parser_parse(MIMEParser *parser, HdrHeap *heap, MIMEHdrImpl *mh, const char
 
     MIMEField *field = mime_field_create(heap, mh);
     mime_field_name_value_set(heap, mh, field, field_name_wks_idx, field_name_first, field_name_length, field_value_first,
-                              field_value_length, true, total_line_length, false);
+                              field_value_length, raw_print_field, total_line_length, false);
     mime_hdr_field_attach(mh, field, 1, nullptr);
   }
 }
-- 
2.30.2