From a14ecf19c68ba5b9eb828a41356b1adbc1c5739c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Wed, 2 Oct 2019 13:31:13 +0200
Subject: Add more HTTP/1.1 header parsing tests

Fix a case where Cowboy was waiting for more data that simply
did not come. Now Cowboy will generate an error immediately
when a header line has no colon separator.

These test cases come from known request smuggling attack
vectors. Cowboy was not vulnerable to any of them.
---
 src/cowboy_http.erl | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index 5136a3b..a6c640a 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -541,7 +541,16 @@ parse_header_colon(Buffer, State=#state{opts=Opts, in_state=PS}, Headers) ->
 				{connection_error, limit_reached,
 					'A header name is larger than configuration allows. (RFC7230 3.2.5, RFC6585 5)'});
 		nomatch ->
-			{more, State#state{in_state=PS#ps_header{headers=Headers}}, Buffer};
+			%% We don't have a colon but we might have an invalid header line,
+			%% so check if we have an LF and abort with an error if we do.
+			case match_eol(Buffer, 0) of
+				nomatch ->
+					{more, State#state{in_state=PS#ps_header{headers=Headers}}, Buffer};
+				_ ->
+					error_terminate(400, State#state{in_state=PS#ps_header{headers=Headers}},
+						{connection_error, protocol_error,
+							'A header line is missing a colon separator. (RFC7230 3.2.4)'})
+			end;
 		_ ->
 			parse_hd_name(Buffer, State, Headers, <<>>)
 	end.
-- 
cgit v1.2.3