From 7b74fc98457ce08b2d8a445660c1f9e55eca782f Mon Sep 17 00:00:00 2001
From: Jeppe Bonde Weikop <49099666+JeppW@users.noreply.github.com>
Date: Sun, 24 Nov 2024 13:10:50 +0100
Subject: [PATCH] fix: lenient chunk extension parsing leading to request
 smuggling issues (#1899)

* fix request smuggling issue

* correct broken error messages

* fix lint
---
 http.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/http.go b/http.go
index f4cfad9be1..99a8bddf8a 100644
--- a/http.go
+++ b/http.go
@@ -2505,17 +2505,24 @@ func parseChunkSize(r *bufio.Reader) (int, error) {
 		c, err := r.ReadByte()
 		if err != nil {
 			return -1, ErrBrokenChunk{
-				error: fmt.Errorf("cannot read '\r' char at the end of chunk size: %w", err),
+				error: fmt.Errorf("cannot read '\\r' char at the end of chunk size: %w", err),
 			}
 		}
 		// Skip chunk extension after chunk size.
 		// Add support later if anyone needs it.
 		if c != '\r' {
+			// Security: Don't allow newlines in chunk extensions.
+			// This can lead to request smuggling issues with some reverse proxies.
+			if c == '\n' {
+				return -1, ErrBrokenChunk{
+					error: errors.New("invalid character '\\n' after chunk size"),
+				}
+			}
 			continue
 		}
 		if err := r.UnreadByte(); err != nil {
 			return -1, ErrBrokenChunk{
-				error: fmt.Errorf("cannot unread '\r' char at the end of chunk size: %w", err),
+				error: fmt.Errorf("cannot unread '\\r' char at the end of chunk size: %w", err),
 			}
 		}
 		break