From 4a2dd6f3777959187565edd79475091e155e2161 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 9 Jul 2024 07:55:58 +0200
Subject: [PATCH] BUG/MEDIUM: h1: Reject empty Transfer-encoding header

The Transfer-Encoding headers list the transfer coding that have been
applied to the content in order to form the message body. It is a list of
tokens. And as specified by RFC 9110, a token cannot be empty. When several
coding names are specify as a comma-separated value, this case is properly
handled and an error is triggered. However, an empty header value will just
be skipped and no error is triggered. This could be an issue with some buggy
servers.

Now, empty Transfer-Encoding header are rejected too.

This patch must be backported as far as 2.6.
---
 src/h1.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/h1.c b/src/h1.c
index c37367645..ca001e8e5 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -129,6 +129,10 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
 	char *e, *n;
 	struct ist word;
 
+	/* Reject empty header */
+	if (istptr(value) == istend(value))
+	    goto fail;
+
 	h1m->flags |= H1_MF_XFER_ENC;
 
 	word.ptr = value.ptr - 1; // -1 for next loop's pre-increment