Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
From: Markus Koschany <apo@debian.org>
Date: Sat, 20 Mar 2021 13:17:48 +0200
Subject: CVE-2019-20444
Bug-Debian: https://bugs.debian.org/950966
Origin: https://github.com/netty/netty/commit/a7c18d44b46e02dadfe3da225a06e5091f5f328e
---
.../io/netty/handler/codec/http/HttpObjectDecoder.java | 5 +++++
.../netty/handler/codec/http/HttpRequestDecoderTest.java | 16 ++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
index 2e940d2..d3f5b79 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
@@ -755,6 +755,11 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
}
}
+ if (nameEnd == length) {
+ // There was no colon present at all.
+ throw new IllegalArgumentException("No colon found");
+ }
+
for (colonEnd = nameEnd; colonEnd < length; colonEnd ++) {
if (sb.charAt(colonEnd) == ':') {
colonEnd ++;
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
index 2b2d0cc..414a033 100644
--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
+++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
@@ -334,4 +334,20 @@ public class HttpRequestDecoderTest {
assertTrue(request.decoderResult().cause() instanceof IllegalArgumentException);
assertFalse(channel.finish());
}
+
+ @Test
+ public void testHeaderWithNoValueAndMissingColon() {
+ EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
+ String requestStr = "GET /some/path HTTP/1.1\r\n" +
+ "Content-Length: 0\r\n" +
+ "Host:\r\n" +
+ "netty.io\r\n\r\n";
+
+ assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));
+ HttpRequest request = channel.readInbound();
+ System.err.println(request.headers().names().toString());
+ assertTrue(request.decoderResult().isFailure());
+ assertTrue(request.decoderResult().cause() instanceof IllegalArgumentException);
+ assertFalse(channel.finish());
+ }
}