http3: reject negative values for the Content-Length header (#3966)

2025-04-03 04:07:35 +03:00 · 2023-07-17 19:23:54 -07:00 · 2023-07-17 19:23:54 -07:00 · ab192a084d
commit ab192a084d
parent c4b3d979bd
2 changed files with 16 additions and 3 deletions
--- a/http3/request.go
+++ b/http3/request.go
@ -96,12 +96,13 @@ func requestFromHeaders(headers []qpack.HeaderField) (*http.Request, error) {

 	var contentLength int64
 	if len(contentLengthStr) > 0 {
-		cl, err := strconv.ParseInt(contentLengthStr, 10, 64)
+		// use ParseUint instead of ParseInt, so that parsing fails on negative values
+		cl, err := strconv.ParseUint(contentLengthStr, 10, 63)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("invalid content length: %w", err)
 		}
 		httpHeaders.Set("Content-Length", contentLengthStr)
-		contentLength = cl
+		contentLength = int64(cl)
 	}

 	return &http.Request{
--- a/http3/request_test.go
+++ b/http3/request_test.go
@ -66,6 +66,18 @@ var _ = Describe("Request", func() {
 		Expect(err).To(MatchError(`invalid header field value for content: "\n"`))
 	})

+	It("rejects negative Content-Length values", func() {
+		headers := []qpack.HeaderField{
+			{Name: ":path", Value: "/foo"},
+			{Name: ":authority", Value: "quic.clemente.io"},
+			{Name: ":method", Value: "GET"},
+			{Name: "content-length", Value: "-42"},
+		}
+		_, err := requestFromHeaders(headers)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("invalid content length"))
+	})
+
 	It("parses path with leading double slashes", func() {
 		headers := []qpack.HeaderField{
 			{Name: ":path", Value: "//foo"},