From 428451fe96d9ad9ba8ef0f0669e145a37d97304d Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 9 Jul 2024 08:57:53 +0200
Subject: [PATCH] BUG/MINOR: h1: Reject empty coding name as last
 transfer-encoding value

The following Transfer-Encoding header is now rejected with a
400-bad-request:

  Transfer-Encoding: chunked,\r\n

This case was not properly handled and the last empty value was just
ignored.

This patch must be backported as far as 2.6.
---
 src/h1.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/h1.c b/src/h1.c
index ff3f5ae9a..c37367645 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -140,6 +140,10 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
 			continue;
 
 		n = http_find_hdr_value_end(word.ptr, e); // next comma or end of line
+
+		/* a comma at the end means the last value is empty */
+		if (n+1 == e)
+			goto fail;
 		word.len = n - word.ptr;
 
 		/* trim trailing blanks */