From a7740479b399e2cb866cfcf40b595f19ca876b95 Mon Sep 17 00:00:00 2001
From: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Date: Wed, 17 Apr 2024 11:36:51 -0500
Subject: [PATCH 1/2] Issue #11659 - Properly ignore OWS before
 `Content-Length` value.

---
 .../org/eclipse/jetty/http/HttpParser.java    | 18 ++++++--
 .../eclipse/jetty/http/HttpParserTest.java    | 41 ++++++++++++++++++-
 2 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
index f7907a83f765..03aef10e777c 100644
--- a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
+++ b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
@@ -1228,11 +1228,21 @@ private long convertContentLength(String valueString)
 
         for (int i = 0; i < length; i++)
         {
-            char c = valueString.charAt(i);
-            if (c < '0' || c > '9')
-                throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException());
+            char ch = valueString.charAt(i);
+            HttpTokens.Token t = HttpTokens.getToken(ch);
 
-            value = Math.addExact(Math.multiplyExact(value, 10), c - '0');
+            switch (t.getType())
+            {
+                case SPACE:
+                case HTAB:
+                    // ignore OWS
+                    continue;
+                case DIGIT:
+                    value = Math.addExact(Math.multiplyExact(value, 10), ch - '0');
+                    break;
+                default:
+                    throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException());
+            }
         }
         return value;
     }
diff --git a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
index ecb1c7b1eb19..a8d427406ae9 100644
--- a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
+++ b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
@@ -1971,7 +1971,8 @@ public void testBadCR(String eoln)
         "+10",
         "1.0",
         "1,0",
-        "10,"
+        "10,",
+        "10A"
     })
     public void testBadContentLengths(String contentLength)
     {
@@ -1994,6 +1995,44 @@ public void testBadContentLengths(String contentLength)
         assertEquals(HttpParser.State.CLOSED, parser.getState());
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {
+        " 10 ",
+        "10 ",
+        " 10",
+        "\t10",
+        "\t10\t",
+        "10\t",
+        " \t \t \t 10"
+    })
+    public void testContentLengthWithOWS(String contentLength)
+    {
+        String rawRequest = """
+            GET /test HTTP/1.1\r
+            Host: localhost\r
+            Content-Length: @LEN@\r
+            \r
+            1234567890
+            """.replace("@LEN@", contentLength);
+        ByteBuffer buffer = BufferUtil.toBuffer(rawRequest);
+
+        HttpParser.RequestHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler);
+        parseAll(parser, buffer);
+
+        assertEquals("GET", _methodOrVersion);
+        assertEquals("/test", _uriOrStatus);
+        assertEquals("HTTP/1.1", _versionOrReason);
+        assertEquals("localhost", _val[0]);
+        assertEquals("Host", _hdr[0]);
+        assertEquals("localhost", _val[0]);
+
+        assertEquals(_content.length(), 10);
+        assertEquals(parser.getContentLength(), 10);
+        assertTrue(_headerCompleted);
+        assertTrue(_messageCompleted);
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {"\r\n", "\n"})
     public void testMultipleContentLengthWithLargerThenCorrectValue(String eoln)

From 19917d96267a5eda78c37aace7db9e25c75730e2 Mon Sep 17 00:00:00 2001
From: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Date: Thu, 18 Apr 2024 10:00:48 -0500
Subject: [PATCH 2/2] Issue #11659 - Properly ignore OWS for field values.

---
 .../org/eclipse/jetty/http/HttpParser.java    | 54 ++++++--------
 .../eclipse/jetty/http/HttpParserTest.java    | 74 ++++++++++++++++++-
 2 files changed, 97 insertions(+), 31 deletions(-)

diff --git a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
index 03aef10e777c..810c8f11c7c8 100644
--- a/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
+++ b/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
@@ -95,6 +95,7 @@ public class HttpParser
     public static final Logger LOG = LoggerFactory.getLogger(HttpParser.class);
     public static final int INITIAL_URI_LENGTH = 256;
     private static final int MAX_CHUNK_LENGTH = Integer.MAX_VALUE / 16 - 16;
+    private static final String UNMATCHED_VALUE = "\u0000";
 
     /**
      * Cache of common {@link HttpField}s including: <UL>
@@ -165,7 +166,7 @@ public class HttpParser
             Map<String, HttpField> map = new LinkedHashMap<>();
             for (HttpHeader h : HttpHeader.values())
             {
-                HttpField httpField = new HttpField(h, (String)null);
+                HttpField httpField = new HttpField(h, UNMATCHED_VALUE);
                 map.put(httpField.toString(), httpField);
             }
             return map;
@@ -1228,21 +1229,11 @@ private long convertContentLength(String valueString)
 
         for (int i = 0; i < length; i++)
         {
-            char ch = valueString.charAt(i);
-            HttpTokens.Token t = HttpTokens.getToken(ch);
+            char c = valueString.charAt(i);
+            if (c < '0' || c > '9')
+                throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException());
 
-            switch (t.getType())
-            {
-                case SPACE:
-                case HTAB:
-                    // ignore OWS
-                    continue;
-                case DIGIT:
-                    value = Math.addExact(Math.multiplyExact(value, 10), ch - '0');
-                    break;
-                default:
-                    throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException());
-            }
+            value = Math.addExact(Math.multiplyExact(value, 10), c - '0');
         }
         return value;
     }
@@ -1387,25 +1378,28 @@ else if (_endOfContent == EndOfContent.UNKNOWN_CONTENT)
                                     String n = cachedField.getName();
                                     String v = cachedField.getValue();
 
-                                    if (CASE_SENSITIVE_FIELD_NAME.isAllowedBy(_complianceMode))
+                                    if (v != UNMATCHED_VALUE)
                                     {
-                                        // Have to get the fields exactly from the buffer to match case
-                                        String en = BufferUtil.toString(buffer, buffer.position() - 1, n.length(), StandardCharsets.US_ASCII);
-                                        if (!n.equals(en))
+                                        if (CASE_SENSITIVE_FIELD_NAME.isAllowedBy(_complianceMode))
                                         {
-                                            reportComplianceViolation(CASE_SENSITIVE_FIELD_NAME, en);
-                                            n = en;
-                                            cachedField = new HttpField(cachedField.getHeader(), n, v);
+                                            // Have to get the fields exactly from the buffer to match case
+                                            String en = BufferUtil.toString(buffer, buffer.position() - 1, n.length(), StandardCharsets.US_ASCII);
+                                            if (!n.equals(en))
+                                            {
+                                                reportComplianceViolation(CASE_SENSITIVE_FIELD_NAME, en);
+                                                n = en;
+                                                cachedField = new HttpField(cachedField.getHeader(), n, v);
+                                            }
                                         }
-                                    }
 
-                                    if (v != null && isHeaderCacheCaseSensitive())
-                                    {
-                                        String ev = BufferUtil.toString(buffer, buffer.position() + n.length() + 1, v.length(), StandardCharsets.ISO_8859_1);
-                                        if (!v.equals(ev))
+                                        if (isHeaderCacheCaseSensitive())
                                         {
-                                            v = ev;
-                                            cachedField = new HttpField(cachedField.getHeader(), n, v);
+                                            String ev = BufferUtil.toString(buffer, buffer.position() + n.length() + 1, v.length(), StandardCharsets.ISO_8859_1);
+                                            if (!v.equals(ev))
+                                            {
+                                                v = ev;
+                                                cachedField = new HttpField(cachedField.getHeader(), n, v);
+                                            }
                                         }
                                     }
 
@@ -1414,7 +1408,7 @@ else if (_endOfContent == EndOfContent.UNKNOWN_CONTENT)
 
                                     int posAfterName = buffer.position() + n.length() + 1;
 
-                                    if (v == null || (posAfterName + v.length()) >= buffer.limit())
+                                    if (v == UNMATCHED_VALUE || (posAfterName + v.length()) >= buffer.limit())
                                     {
                                         // Header only
                                         setState(FieldState.VALUE);
diff --git a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
index a8d427406ae9..57db19b52898 100644
--- a/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
+++ b/jetty-core/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java
@@ -2023,7 +2023,6 @@ public void testContentLengthWithOWS(String contentLength)
         assertEquals("GET", _methodOrVersion);
         assertEquals("/test", _uriOrStatus);
         assertEquals("HTTP/1.1", _versionOrReason);
-        assertEquals("localhost", _val[0]);
         assertEquals("Host", _hdr[0]);
         assertEquals("localhost", _val[0]);
 
@@ -2033,6 +2032,79 @@ public void testContentLengthWithOWS(String contentLength)
         assertTrue(_messageCompleted);
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {
+        " chunked ",
+        "chunked ",
+        " chunked",
+        "\tchunked",
+        "\tchunked\t",
+        "chunked\t",
+        " \t \t \t chunked"
+    })
+    public void testTransferEncodingWithOWS(String transferEncoding)
+    {
+        String rawRequest = """
+            GET /test HTTP/1.1\r
+            Host: localhost\r
+            Transfer-Encoding: @TE@\r
+            \r
+            1\r
+            X\r
+            0\r
+            \r
+            """.replace("@TE@", transferEncoding);
+        ByteBuffer buffer = BufferUtil.toBuffer(rawRequest);
+
+        HttpParser.RequestHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler);
+        parseAll(parser, buffer);
+
+        assertEquals("GET", _methodOrVersion);
+        assertEquals("/test", _uriOrStatus);
+        assertEquals("HTTP/1.1", _versionOrReason);
+        assertEquals("Host", _hdr[0]);
+        assertEquals("localhost", _val[0]);
+        assertEquals("Transfer-Encoding", _hdr[1]);
+        assertEquals("chunked", _val[1]);
+
+        assertTrue(_headerCompleted);
+        assertTrue(_messageCompleted);
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = {
+        " testhost ",
+        "testhost ",
+        " testhost",
+        "\ttesthost",
+        "\ttesthost\t",
+        "testhost\t",
+        " \t \t \t testhost"
+    })
+    public void testHostWithOWS(String host)
+    {
+        String rawRequest = """
+            GET /test HTTP/1.1\r
+            Host: @HOST@\r
+            \r
+            """.replace("@HOST@", host);
+        ByteBuffer buffer = BufferUtil.toBuffer(rawRequest);
+
+        HttpParser.RequestHandler handler = new Handler();
+        HttpParser parser = new HttpParser(handler);
+        parseAll(parser, buffer);
+
+        assertEquals("GET", _methodOrVersion);
+        assertEquals("/test", _uriOrStatus);
+        assertEquals("HTTP/1.1", _versionOrReason);
+        assertEquals("Host", _hdr[0]);
+        assertEquals("testhost", _val[0]);
+
+        assertTrue(_headerCompleted);
+        assertTrue(_messageCompleted);
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {"\r\n", "\n"})
     public void testMultipleContentLengthWithLargerThenCorrectValue(String eoln)