Made chunked encoding HTTP header check stricter (#6305) (#6306)

patchback[bot] · asvetlov · web-flow · commit 8457ffd9f4ea · 2021-11-13T12:09:35.000Z
(cherry picked from commit 7f32513) Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
diff --git a/CHANGES/6305.bugfix b/CHANGES/6305.bugfix
@@ -0,0 +1 @@
+Made chunked encoding HTTP header check stricter.
diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
@@ -491,9 +491,10 @@ def parse_headers(
         # chunking
         te = headers.get(hdrs.TRANSFER_ENCODING)
         if te is not None:
-            te_lower = te.lower()
-            if "chunked" in te_lower:
+            if "chunked" == te.lower():
                 chunked = True
+            else:
+                raise BadHttpMessage("Request has invalid `Transfer-Encoding`")
 
             if hdrs.CONTENT_LENGTH in headers:
                 raise BadHttpMessage(
diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py
@@ -304,6 +304,15 @@ def test_request_te_chunked_with_content_length(parser: Any) -> None:
         parser.feed_data(text)
 
 
+def test_request_te_chunked123(parser: Any) -> None:
+    text = b"GET /test HTTP/1.1\r\n" b"transfer-encoding: chunked123\r\n\r\n"
+    with pytest.raises(
+        http_exceptions.BadHttpMessage,
+        match="Request has invalid `Transfer-Encoding`",
+    ):
+        parser.feed_data(text)
+
+
 def test_conn_upgrade(parser: Any) -> None:
     text = (
         b"GET /test HTTP/1.1\r\n"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Made chunked encoding HTTP header check stricter.`