Commit 0467606ff4dbf57401c8b58188652df821ec865b
2018-11-18T11:00:11
http: disallow repeated headers from servers Don't allow servers to send us multiple Content-Type, Content-Length or Location headers.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
diff --git a/src/transports/http.c b/src/transports/http.c
index 9257722..ce2e309 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -306,16 +306,22 @@ static int on_header_ready(http_subtransport *t)
git_buf *value = &t->parse_header_value;
if (!strcasecmp("Content-Type", git_buf_cstr(name))) {
- if (!t->content_type) {
- t->content_type = git__strdup(git_buf_cstr(value));
- GITERR_CHECK_ALLOC(t->content_type);
+ if (t->content_type) {
+ giterr_set(GITERR_NET, "multiple Content-Type headers");
+ return -1;
}
+
+ t->content_type = git__strdup(git_buf_cstr(value));
+ GITERR_CHECK_ALLOC(t->content_type);
}
else if (!strcasecmp("Content-Length", git_buf_cstr(name))) {
- if (!t->content_length) {
- t->content_length = git__strdup(git_buf_cstr(value));
- GITERR_CHECK_ALLOC(t->content_length);
+ if (t->content_length) {
+ giterr_set(GITERR_NET, "multiple Content-Length headers");
+ return -1;
}
+
+ t->content_length = git__strdup(git_buf_cstr(value));
+ GITERR_CHECK_ALLOC(t->content_length);
}
else if (!strcasecmp("Proxy-Authenticate", git_buf_cstr(name))) {
char *dup = git__strdup(git_buf_cstr(value));
@@ -332,10 +338,13 @@ static int on_header_ready(http_subtransport *t)
return -1;
}
else if (!strcasecmp("Location", git_buf_cstr(name))) {
- if (!t->location) {
- t->location = git__strdup(git_buf_cstr(value));
- GITERR_CHECK_ALLOC(t->location);
+ if (t->location) {
+ giterr_set(GITERR_NET, "multiple Location headers");
+ return -1;
}
+
+ t->location = git__strdup(git_buf_cstr(value));
+ GITERR_CHECK_ALLOC(t->location);
}
return 0;