Closed
Description
When WEBrick receives a request with a chunked message body with a chunk length that's less than the length of the subsequent data, it silently ignores extra the extra data.
For example, if you send WEBrick the following request:
POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
3\r\n
ABCthis-all-gets-ignored\r\n
0\r\n
\r\n
Then, WEBrick sees the message body as ABC.
Other HTTP implementations (Apache, Daphne, Deno, FastHTTP, Go net/http, Gunicorn, H2O, HAProxy, Hypercorn, Jetty, Libevent, Lighttpd, Nginx, Node.js, Puma, Tomcat, Unicorn, Uvicorn, and Waitress) respond 400 when they receive requests with invalid chunked bodies.
Metadata
Metadata
Assignees
Labels
No labels