Prevent request smuggling

If a request has both a content-length and transfer-encoding headers, return a 400 response. This is allowed by RFC 7230 section 3.3.3.3. Fixes#145

Author: jeremyevans

lib/webrick/httprequest.rb

@@ -531,6 +531,10 @@ def parse_host_request_line(host)
 defread_body(socket,block)
 returnunlesssocket
 iftc=self['transfer-encoding']
+ifself['content-length']
+raiseHTTPStatus::BadRequest,"request with both transfer-encoding and content-length, possible request smuggling"
+end
+
 casetc
 when/\Achunked\z/iothenread_chunked(socket,block)
 elseraiseHTTPStatus::NotImplemented,"Transfer-Encoding: #{tc}."

test/webrick/test_httprequest.rb

@@ -219,6 +219,24 @@ def test_duplicate_content_length_header
 }
 end
 
+deftest_content_length_and_transfer_encoding_headers_smuggling
+msg=<<~HTTP.gsub("\n","\r\n")
+ POST /user HTTP/1.1
+ Content-Length: 28
+ Transfer-Encoding: chunked
+
+ 0
+
+ GET /admin HTTP/1.1
+
+ HTTP
+req=WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+req.parse(StringIO.new(msg))
+assert_raise(WEBrick::HTTPStatus::BadRequest){
+req.body
+}
+end
+
 deftest_parse_headers
 msg=<<~HTTP.gsub("\n","\r\n")
  GET /path HTTP/1.1