netty/CVE-2019-20445-3.patch

From 5f68897880467c00f29495b0aa46ed19bf7a873c Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 5 Feb 2020 14:33:28 +0100
Subject: [PATCH] Added tests for Transfer-Encoding header with whitespace
 (#9997)

Motivation:

Need tests to ensure that CVE-2020-7238 is fixed.

Modifications:

Added two test cases into HttpRequestDecoderTest which check that
no whitespace is allowed before the Transfer-Encoding header.

Result:

Improved test coverage for #9861
---
 .../codec/http/HttpRequestDecoderTest.java    | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
index 1e780b7959f..2548af0e2af 100644
--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
+++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
@@ -325,7 +325,30 @@ public void testTooLargeHeaders() {
     public void testWhitespace() {
         String requestStr = "GET /some/path HTTP/1.1\r\n" +
                 "Transfer-Encoding : chunked\r\n" +
-                "Host: netty.io\n\r\n";
+                "Host: netty.io\r\n\r\n";
+        testInvalidHeaders0(requestStr);
+    }
+
+    @Test
+    public void testWhitespaceBeforeTransferEncoding01() {
+        String requestStr = "GET /some/path HTTP/1.1\r\n" +
+                " Transfer-Encoding : chunked\r\n" +
+                "Content-Length: 1\r\n" +
+                "Host: netty.io\r\n\r\n" +
+                "a";
+        testInvalidHeaders0(requestStr);
+    }
+
+    @Test
+    public void testWhitespaceBeforeTransferEncoding02() {
+        String requestStr = "POST / HTTP/1.1" +
+                " Transfer-Encoding : chunked\r\n" +
+                "Host: target.com" +
+                "Content-Length: 65\r\n\r\n" +
+                "0\r\n\r\n" +
+                "GET /maliciousRequest HTTP/1.1\r\n" +
+                "Host: evilServer.com\r\n" +
+                "Foo: x";
         testInvalidHeaders0(requestStr);
     }
fix CVE 2020-12-04 15:27:56 +08:00			`From 5f68897880467c00f29495b0aa46ed19bf7a873c Mon Sep 17 00:00:00 2001`
			`From: Artem Smotrakov <artem.smotrakov@gmail.com>`
			`Date: Wed, 5 Feb 2020 14:33:28 +0100`
			`Subject: [PATCH] Added tests for Transfer-Encoding header with whitespace`
			`(#9997)`

			`Motivation:`

			`Need tests to ensure that CVE-2020-7238 is fixed.`

			`Modifications:`

			`Added two test cases into HttpRequestDecoderTest which check that`
			`no whitespace is allowed before the Transfer-Encoding header.`

			`Result:`

			`Improved test coverage for #9861`
			`---`
			`.../codec/http/HttpRequestDecoderTest.java \| 25 ++++++++++++++++++-`
			`1 file changed, 24 insertions(+), 1 deletion(-)`

			`diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java`
			`index 1e780b7959f..2548af0e2af 100644`
			`--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java`
			`+++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java`
			`@@ -325,7 +325,30 @@ public void testTooLargeHeaders() {`
			`public void testWhitespace() {`
			`String requestStr = "GET /some/path HTTP/1.1\r\n" +`
			`"Transfer-Encoding : chunked\r\n" +`
			`- "Host: netty.io\n\r\n";`
			`+ "Host: netty.io\r\n\r\n";`
			`+ testInvalidHeaders0(requestStr);`
			`+ }`
			`+`
			`+ @Test`
			`+ public void testWhitespaceBeforeTransferEncoding01() {`
			`+ String requestStr = "GET /some/path HTTP/1.1\r\n" +`
			`+ " Transfer-Encoding : chunked\r\n" +`
			`+ "Content-Length: 1\r\n" +`
			`+ "Host: netty.io\r\n\r\n" +`
			`+ "a";`
			`+ testInvalidHeaders0(requestStr);`
			`+ }`
			`+`
			`+ @Test`
			`+ public void testWhitespaceBeforeTransferEncoding02() {`
			`+ String requestStr = "POST / HTTP/1.1" +`
			`+ " Transfer-Encoding : chunked\r\n" +`
			`+ "Host: target.com" +`
			`+ "Content-Length: 65\r\n\r\n" +`
			`+ "0\r\n\r\n" +`
			`+ "GET /maliciousRequest HTTP/1.1\r\n" +`
			`+ "Host: evilServer.com\r\n" +`
			`+ "Foo: x";`
			`testInvalidHeaders0(requestStr);`
			`}`