From 6876c16be058a541c38659cdcce93405244dde6f Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Mon, 18 May 2020 00:44:03 -0400
Subject: [PATCH] [core] RFC-strict parse of Content-Length

augment simple strtoll() which allowed number to begin with '+'

This is not exploitable for HTTP Request Smuggling since lighttpd
mod_proxy sends "Connection: close" to backends, and other CGI-based
backends reconstitute CONTENT_LENGTH in the environment without '+'.

(thx Amit Klein, Safebreach)
---
 src/request.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/request.c b/src/request.c
index f4ee135e..847b0c28 100644
--- a/src/request.c
+++ b/src/request.c
@@ -430,7 +430,7 @@ static int http_request_parse_single_header(request_st * const restrict r, const
             /*(trailing whitespace was removed from vlen)*/
             char *err;
             off_t clen = strtoll(v, &err, 10);
-            if (clen >= 0 && err == v+vlen) {
+            if (clen >= 0 && err == v+vlen && light_isdigit(v[0])) {
                 /* (set only if not set to -1 by Transfer-Encoding: chunked) */
                 if (0 == r->reqbody_length) r->reqbody_length = clen;
             }