[jackhill/guix/guix.git] / gnu / packages / patches / llhttp-bootstrap-CVE-2020-8287.patch

This patch comes from upstream.  It corresponds to a patch applied to
the generated C source code for llhttp included in Node.js 14.16.0
(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a).  That commit
fixes CVE-2020-8287.  With this patch, the output of our
llhttp-bootstrap package matches the files included in Node.js 14.16.0
exactly.

commit e9b36ea64709c35ca66094d5cf3787f444029601
Author: Fedor Indutny <fedor@indutny.com>
Date:   Sat Oct 10 19:56:01 2020 -0700

    http: unset `F_CHUNKED` on new `Transfer-Encoding`
    
    Duplicate `Transfer-Encoding` header should be a treated as a single,
    but with original header values concatenated with a comma separator. In
    the light of this, even if the past `Transfer-Encoding` ended with
    `chunked`, we should be not let the `F_CHUNKED` to leak into the next
    header, because mere presence of another header indicates that `chunked`
    is not the last transfer-encoding token.

diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
index f4f1a6e..0a0c365 100644
--- a/src/llhttp/http.ts
+++ b/src/llhttp/http.ts
@@ -460,11 +460,19 @@ export class HTTP {
       .match([ ' ', '\t' ], n('header_value_discard_ws'))
       .otherwise(checkContentLengthEmptiness);
 
+    // Multiple `Transfer-Encoding` headers should be treated as one, but with
+    // values separate by a comma.
+    //
+    // See: https://tools.ietf.org/html/rfc7230#section-3.2.2
+    const toTransferEncoding = this.unsetFlag(
+      FLAGS.CHUNKED,
+      'header_value_te_chunked');
+
     n('header_value_start')
       .otherwise(this.load('header_state', {
         [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback),
         [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag(
-          FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'),
+          FLAGS.TRANSFER_ENCODING, toTransferEncoding),
         [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'),
         [HEADER_STATE.CONNECTION]: n('header_value_connection'),
       }, 'header_value'));
@@ -847,6 +855,11 @@ export class HTTP {
     return span.start(span.end(this.node(next)));
   }
 
+  private unsetFlag(flag: FLAGS, next: string | Node): Node {
+    const p = this.llparse;
+    return p.invoke(p.code.and('flags', ~flag), this.node(next));
+  }
+
   private setFlag(flag: FLAGS, next: string | Node): Node {
     const p = this.llparse;
     return p.invoke(p.code.or('flags', flag), this.node(next));
diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md
index a7d1681..b0891d6 100644
--- a/test/request/transfer-encoding.md
+++ b/test/request/transfer-encoding.md
@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0
 off=106 error code=15 reason="Request has invalid `Transfer-Encoding`"
 ```
 
+## POST with `chunked` and duplicate transfer-encoding
+
+<!-- meta={"type": "request", "noScan": true} -->
+```http
+POST /post_identity_body_world?q=search#hey HTTP/1.1
+Accept: */*
+Transfer-Encoding: chunked
+Transfer-Encoding: deflate
+
+World
+```
+
+```log
+off=0 message begin
+off=5 len=38 span[url]="/post_identity_body_world?q=search#hey"
+off=44 url complete
+off=54 len=6 span[header_field]="Accept"
+off=61 header_field complete
+off=62 len=3 span[header_value]="*/*"
+off=67 header_value complete
+off=67 len=17 span[header_field]="Transfer-Encoding"
+off=85 header_field complete
+off=86 len=7 span[header_value]="chunked"
+off=95 header_value complete
+off=95 len=17 span[header_field]="Transfer-Encoding"
+off=113 header_field complete
+off=114 len=7 span[header_value]="deflate"
+off=123 header_value complete
+off=125 headers complete method=3 v=1/1 flags=200 content_length=0
+off=125 error code=15 reason="Request has invalid `Transfer-Encoding`"
+```
+
 ## POST with `chunked` before other transfer-coding (lenient)
 
 TODO(indutny): should we allow it even in lenient mode? (Consider disabling
Commit	Line	Data
31c4d890 JL	1	This patch comes from upstream. It corresponds to a patch applied to
	2	the generated C source code for llhttp included in Node.js 14.16.0
	3	(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a). That commit
	4	fixes CVE-2020-8287. With this patch, the output of our
	5	llhttp-bootstrap package matches the files included in Node.js 14.16.0
	6	exactly.
	7
	8	commit e9b36ea64709c35ca66094d5cf3787f444029601
	9	Author: Fedor Indutny <fedor@indutny.com>
	10	Date: Sat Oct 10 19:56:01 2020 -0700
	11
	12	http: unset `F_CHUNKED` on new `Transfer-Encoding`
	13
	14	Duplicate `Transfer-Encoding` header should be a treated as a single,
	15	but with original header values concatenated with a comma separator. In
	16	the light of this, even if the past `Transfer-Encoding` ended with
	17	`chunked`, we should be not let the `F_CHUNKED` to leak into the next
	18	header, because mere presence of another header indicates that `chunked`
	19	is not the last transfer-encoding token.
	20
	21	diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
	22	index f4f1a6e..0a0c365 100644
	23	--- a/src/llhttp/http.ts
	24	+++ b/src/llhttp/http.ts
	25	@@ -460,11 +460,19 @@ export class HTTP {
	26	.match([ ' ', '\t' ], n('header_value_discard_ws'))
	27	.otherwise(checkContentLengthEmptiness);
	28
	29	+ // Multiple `Transfer-Encoding` headers should be treated as one, but with
	30	+ // values separate by a comma.
	31	+ //
	32	+ // See: https://tools.ietf.org/html/rfc7230#section-3.2.2
	33	+ const toTransferEncoding = this.unsetFlag(
	34	+ FLAGS.CHUNKED,
	35	+ 'header_value_te_chunked');
	36	+
	37	n('header_value_start')
	38	.otherwise(this.load('header_state', {
	39	[HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback),
	40	[HEADER_STATE.TRANSFER_ENCODING]: this.setFlag(
	41	- FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'),
	42	+ FLAGS.TRANSFER_ENCODING, toTransferEncoding),
	43	[HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'),
	44	[HEADER_STATE.CONNECTION]: n('header_value_connection'),
	45	}, 'header_value'));
	46	@@ -847,6 +855,11 @@ export class HTTP {
	47	return span.start(span.end(this.node(next)));
	48	}
	49
	50	+ private unsetFlag(flag: FLAGS, next: string \| Node): Node {
	51	+ const p = this.llparse;
	52	+ return p.invoke(p.code.and('flags', ~flag), this.node(next));
	53	+ }
	54	+
	55	private setFlag(flag: FLAGS, next: string \| Node): Node {
	56	const p = this.llparse;
	57	return p.invoke(p.code.or('flags', flag), this.node(next));
	58	diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md
	59	index a7d1681..b0891d6 100644
	60	--- a/test/request/transfer-encoding.md
	61	+++ b/test/request/transfer-encoding.md
	62	@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0
	63	off=106 error code=15 reason="Request has invalid `Transfer-Encoding`"
	64	```
65
66	+## POST with `chunked` and duplicate transfer-encoding
67	+
68	+<!-- meta={"type": "request", "noScan": true} -->
69	+```http
70	+POST /post_identity_body_world?q=search#hey HTTP/1.1
71	+Accept: /
72	+Transfer-Encoding: chunked
73	+Transfer-Encoding: deflate
74	+
75	+World
76	+```
77	+
78	+```log
79	+off=0 message begin
80	+off=5 len=38 span[url]="/post_identity_body_world?q=search#hey"
81	+off=44 url complete
82	+off=54 len=6 span[header_field]="Accept"
83	+off=61 header_field complete
84	+off=62 len=3 span[header_value]="/"
85	+off=67 header_value complete
86	+off=67 len=17 span[header_field]="Transfer-Encoding"
87	+off=85 header_field complete
88	+off=86 len=7 span[header_value]="chunked"
89	+off=95 header_value complete
90	+off=95 len=17 span[header_field]="Transfer-Encoding"
91	+off=113 header_field complete
92	+off=114 len=7 span[header_value]="deflate"
93	+off=123 header_value complete
94	+off=125 headers complete method=3 v=1/1 flags=200 content_length=0
95	+off=125 error code=15 reason="Request has invalid `Transfer-Encoding`"
96	+```
97	+
98	## POST with `chunked` before other transfer-coding (lenient)
99
100	TODO(indutny): should we allow it even in lenient mode? (Consider disabling