fix(http1): fix server misinterpretting multiple Transfer-Encoding headers

seanmonstar · seanmonstar · commit 8f93123efef5 · 2021-02-05T14:10:02.000-08:00
When a request arrived with multiple `Transfer-Encoding` headers, hyper would check each if they ended with `chunked`. It should have only checked if the *last* header ended with `chunked`. See GHSA-6hfq-h8hq-87mf
diff --git a/src/proto/h1/role.rs b/src/proto/h1/role.rs
@@ -213,6 +213,8 @@ impl Http1Transaction for Server {
                     if headers::is_chunked_(&value) {
                         is_te_chunked = true;
                         decoder = DecodedLength::CHUNKED;
+                    } else {
+                        is_te_chunked = false;
                     }
                 }
                 header::CONTENT_LENGTH => {
@@ -1444,6 +1446,16 @@ mod tests {
             "transfer-encoding doesn't end in chunked",
         );
 
+        parse_err(
+            "\
+             POST / HTTP/1.1\r\n\
+             transfer-encoding: chunked\r\n\
+             transfer-encoding: afterlol\r\n\
+             \r\n\
+             ",
+            "transfer-encoding multiple lines doesn't end in chunked",
+        );
+
         // http/1.0
 
         assert_eq!(
