Fix Content-Length ', '-separated string issues

Theo van Hoesel · oalders · commit e84475de51d6 · 2022-06-27T10:35:42.000-04:00
After a security issue, we ensure we comply to
RFC-7230 -- HTTP/1.1 Message Syntax and Routing
- section 3.3.2 -- Content-Length
- section 3.3.3 -- Message Body Length
diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
@@ -288,6 +288,32 @@ READ_HEADER:
     }
     elsif ($ct_len) {
 
+        # After a security issue, we ensure we comply to
+        # RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+        # section 3.3.2 -- Content-Length
+        # section 3.3.3 -- Message Body Length
+
+        # split and clean up Content-Length ', ' separated string
+        my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str }
+            split ',', $ct_len;
+        # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+        my @nums = grep { /^[0-9]+$/} @vals;
+        unless (@vals == @nums) {
+            $self->send_error(400);
+            $self->reason("Content-Length value must be a unsigned integer");
+            return;
+        }
+        # check they are all the same
+        my $ct_len = shift @nums;
+        foreach (@nums) {
+            next if $_ == $ct_len;
+            $self->send_error(400);
+            $self->reason("Content-Length values are not the same");
+            return;
+        }
+        # ensure we have now a fixed header, with only 1 value
+        $r->header('Content-Length' => $ct_len);
+
         # Plain body specified by "Content-Length"
         my $missing = $ct_len - length($buf);
         while ($missing > 0) {
