fix a potential DoS vulnerability by restricting the length of the HT…

…TP chunk size in chunked transfer encoding
yaoyu · Jan 24, 2017 · 29f259c · 29f259c
1 parent 28de783
commit 29f259c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/Net/src/HTTPChunkedStream.cpp b/Net/src/HTTPChunkedStream.cpp
@@ -67,7 +67,8 @@ int HTTPChunkedStreamBuf::readFromDevice(char* buffer, std::streamsize length)
 		int ch = _session.get();
 		while (Poco::Ascii::isSpace(ch)) ch = _session.get();
 		std::string chunkLen;
-		while (Poco::Ascii::isHexDigit(ch)) { chunkLen += (char) ch; ch = _session.get(); }
+		while (Poco::Ascii::isHexDigit(ch) && chunkLen.size() < 8) { chunkLen += (char) ch; ch = _session.get(); }
+		if (ch != eof && !(Poco::Ascii::isSpace(ch) || ch == ';')) return eof;
 		while (ch != eof && ch != '\n') ch = _session.get();
 		unsigned chunk;
 		if (NumberParser::tryParseHex(chunkLen, chunk))