From 4959ca3624d857ebeda213d8a5b70b72632aac8c Mon Sep 17 00:00:00 2001
From: florian <florian@openbsd.org>
Date: Wed, 8 Apr 2015 19:39:29 +0000
Subject: [PATCH] Do not silently accept multiple Content-Length headers.
 Pointed out by Regis Leroy (regis.leroy AT makina-corpus DOT com), thanks!
 Tweak and OK reyk@

---
 usr.sbin/httpd/server_http.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index b63fc221049..975f8788759 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_http.c,v 1.75 2015/02/23 18:43:18 reyk Exp $	*/
+/*	$OpenBSD: server_http.c,v 1.76 2015/04/08 19:39:29 florian Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -339,6 +339,11 @@ server_read_http(struct bufferevent *bev, void *arg)
 			 * the carriage return? And some browsers seem to
 			 * include the line length in the content-length.
 			 */
+			if (clt->clt_toread != 0) {
+				/* We already read Content-Length */
+				server_abort_http(clt, 400, errstr);
+				goto abort;
+			}
 			clt->clt_toread = strtonum(value, 0, LLONG_MAX,
 			    &errstr);
 			if (errstr) {
-- 
2.20.1