Overview

File libsoup-CVE-2026-1760.patch of Package libsoup.42977

Index: libsoup-2.68.4/libsoup/soup-message-headers.c
===================================================================
--- libsoup-2.68.4.orig/libsoup/soup-message-headers.c
+++ libsoup-2.68.4/libsoup/soup-message-headers.c
@@ -706,38 +706,13 @@ clear_special_headers (SoupMessageHeader
 static void
 transfer_encoding_setter (SoupMessageHeaders *hdrs, const char *value)
 {
-	if (value) {
-		/* "identity" is a wrong value according to RFC errata 408,
-		 * and RFC 7230 does not list it as valid transfer-coding.
-		 * Nevertheless, the obsolete RFC 2616 stated "identity"
-		 * as valid, so we can't handle it as unrecognized here
-		 * for compatibility reasons.
-		 */
-		if (g_ascii_strcasecmp (value, "chunked") == 0)
-			hdrs->encoding = SOUP_ENCODING_CHUNKED;
-		else if (g_ascii_strcasecmp (value, "identity") != 0)
-			hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED;
-	} else
-		hdrs->encoding = -1;
+	hdrs->encoding = -1;
 }
 
 static void
 content_length_setter (SoupMessageHeaders *hdrs, const char *value)
 {
-	/* Transfer-Encoding trumps Content-Length */
-	if (hdrs->encoding == SOUP_ENCODING_CHUNKED)
-		return;
-
-	if (value) {
-		char *end;
-
-		hdrs->content_length = g_ascii_strtoull (value, &end, 10);
-		if (*end)
-			hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED;
-		else
-			hdrs->encoding = SOUP_ENCODING_CONTENT_LENGTH;
-	} else
-		hdrs->encoding = -1;
+	hdrs->encoding = -1;
 }
 
 /**
@@ -769,30 +744,50 @@ content_length_setter (SoupMessageHeader
 SoupEncoding
 soup_message_headers_get_encoding (SoupMessageHeaders *hdrs)
 {
-	const char *header;
+	const char *content_length;
+        const char *transfer_encoding;
 
 	if (hdrs->encoding != -1)
 		return hdrs->encoding;
 
-	/* If Transfer-Encoding was set, hdrs->encoding would already
-	 * be set. So we don't need to check that possibility.
-	 */
-	header = soup_message_headers_get_one (hdrs, "Content-Length");
-	if (header) {
-		content_length_setter (hdrs, header);
-		if (hdrs->encoding != -1)
-			return hdrs->encoding;
+	/* Transfer-Encoding is check first because it overrides the Content-Length */
+        transfer_encoding = soup_message_headers_get_one (hdrs, "Transfer-Encoding");
+        if (transfer_encoding) {
+                /* "identity" is a wrong value according to RFC errata 408,
+                 * and RFC 7230 does not list it as valid transfer-coding.
+                 * Nevertheless, the obsolete RFC 2616 stated "identity"
+                 * as valid, so we can't handle it as unrecognized here
+                 * for compatibility reasons.
+	 	 */
+		if (g_ascii_strcasecmp (transfer_encoding, "chunked") == 0)
+                        hdrs->encoding = SOUP_ENCODING_CHUNKED;
+                else if (g_ascii_strcasecmp (transfer_encoding, "identity") != 0)
+                        hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED;
+        } else {
+                content_length = soup_message_headers_get_one (hdrs, "Content-Length");
+                if (content_length) {
+                        char *end;
+
+                        hdrs->content_length = g_ascii_strtoull (content_length, &end, 10);
+                        if (*end)
+                                hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED;
+                        else
+                                hdrs->encoding = SOUP_ENCODING_CONTENT_LENGTH;
+                }
+	}
+
+	if (hdrs->encoding == -1) {
+		/* Per RFC 2616 4.4, a response body that doesn't indicate its
+		 * encoding otherwise is terminated by connection close, and a
+		 * request that doesn't indicate otherwise has no body. Note
+		 * that SoupMessage calls soup_message_headers_set_encoding()
+		 * to override the response body default for our own
+		 * server-side messages.
+		 */
+		hdrs->encoding = (hdrs->type == SOUP_MESSAGE_HEADERS_RESPONSE) ?
+			SOUP_ENCODING_EOF : SOUP_ENCODING_NONE;
 	}
 
-	/* Per RFC 2616 4.4, a response body that doesn't indicate its
-	 * encoding otherwise is terminated by connection close, and a
-	 * request that doesn't indicate otherwise has no body. Note
-	 * that SoupMessage calls soup_message_headers_set_encoding()
-	 * to override the response body default for our own
-	 * server-side messages.
-	 */
-	hdrs->encoding = (hdrs->type == SOUP_MESSAGE_HEADERS_RESPONSE) ?
-		SOUP_ENCODING_EOF : SOUP_ENCODING_NONE;
 	return hdrs->encoding;
 }
 
Index: libsoup-2.68.4/libsoup/soup-message-server-io.c
===================================================================
--- libsoup-2.68.4.orig/libsoup/soup-message-server-io.c
+++ libsoup-2.68.4/libsoup/soup-message-server-io.c
@@ -80,6 +80,14 @@ parse_request_headers (SoupMessage *msg,
 			return SOUP_STATUS_BAD_REQUEST;
 	}
 
+	/* A server MAY reject a request that contains both Content-Length and
+         * Transfer-Encoding or process such a request in accordance with the
+         * Transfer-Encoding alone. Regardless, the server MUST close the connection
+         * after responding to such a request to avoid the potential attacks
+         */
+        if (*encoding == SOUP_ENCODING_CHUNKED && soup_message_headers_get_one (msg->request_headers, "Content-Length"))
+                soup_message_headers_replace (msg->request_headers, "Connection", "close");
+
 	/* Generate correct context for request */
 	req_host = soup_message_headers_get_one (msg->request_headers, "Host");
 	if (req_host && strchr (req_host, '/')) {
openSUSE Build Service is sponsored by
Places