blob: 94c4b9c5504526abd4b4aabfb92e8d46b2f6f604 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
From c6838374d0e323b78877ae546e1471c400e4652d Mon Sep 17 00:00:00 2001
From: Tom Most <twm@freecog.net>
Date: Mon, 7 Mar 2022 00:32:14 -0800
Subject: [PATCH] Reject non-digit Content-Length
Upstream-Status: Backport [https://github.com/twisted/twisted/commit/8ebfa8f6577431226e109ff98ba48f5152a2c416]
CVE: CVE-2022-24801
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/twisted/web/http.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
index 262da0b..5316d81 100644
--- a/src/twisted/web/http.py
+++ b/src/twisted/web/http.py
@@ -2274,6 +2274,8 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
# Can this header determine the length?
if header == b"content-length":
+ if not data.isdigit():
+ return fail()
try:
length = int(data)
except ValueError:
|
