Add more HTTP/1.1 header parsing tests

Fix a case where Cowboy was waiting for more data that simply
did not come. Now Cowboy will generate an error immediately
when a header line has no colon separator.

These test cases come from known request smuggling attack
vectors. Cowboy was not vulnerable to any of them.

1 files changed, 10 insertions, 1 deletions

diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index 5136a3b..a6c640a 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -541,7 +541,16 @@ parse_header_colon(Buffer, State=#state{opts=Opts, in_state=PS}, Headers) ->
 				{connection_error, limit_reached,
 					'A header name is larger than configuration allows. (RFC7230 3.2.5, RFC6585 5)'});
 		nomatch ->
-			{more, State#state{in_state=PS#ps_header{headers=Headers}}, Buffer};
+			%% We don't have a colon but we might have an invalid header line,
+			%% so check if we have an LF and abort with an error if we do.
+			case match_eol(Buffer, 0) of
+				nomatch ->
+					{more, State#state{in_state=PS#ps_header{headers=Headers}}, Buffer};
+				_ ->
+					error_terminate(400, State#state{in_state=PS#ps_header{headers=Headers}},
+						{connection_error, protocol_error,
+							'A header line is missing a colon separator. (RFC7230 3.2.4)'})
+			end;
 		_ ->
 			parse_hd_name(Buffer, State, Headers, <<>>)
 	end.