mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-03 20:27:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

http3: enforce that DATA frames don't exceed Content-Length (#3980)

Browse source
This commit is contained in:
Marten Seemann 2023-07-20 09:47:01 -07:00 committed by GitHub
parent 56cd866840
commit 5a22ac8970
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 124 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

10
http3/client.go
View file

@ -426,7 +426,15 @@ func (c *client) doRequest(req *http.Request, conn quic.EarlyConnection, str qui
connState := conn.ConnectionState().TLS
res.TLS = &connState
res.Request = req
respBody := newResponseBody(hstr, conn, reqDone)
// Check that the server doesn't send more data in DATA frames than indicated by the Content-Length header (if set).
// See section 4.1.2 of RFC 9114.
var httpStr Stream
if _, ok := req.Header["Content-Length"]; ok && req.ContentLength >= 0 {
httpStr = newLengthLimitedStream(hstr, req.ContentLength)
} else {
httpStr = hstr
}
respBody := newResponseBody(httpStr, conn, reqDone)
// Rules for when to set Content-Length are defined in https://tools.ietf.org/html/rfc7230#section-3.3.2.
_, hasTransferEncoding := res.Header["Transfer-Encoding"]