wsgi: Add support for "Transfer-Encoding: chunked".

Needed by curl with --upload-file . Curl also asks us to return "100 Continue" responses, but WSGI (as of python 2.7 reference implementation) does not allow that. Gah.

wsgi: Add support for "Transfer-Encoding: chunked".
Needed by curl with --upload-file . Curl also asks us to return "100 Continue" responses, but WSGI (as of python 2.7 reference implementation) does not allow that. Gah.
d1fbca1f · Vincent Pelletier · cdcf1a20 · d1fbca1f · d1fbca1f
Commit d1fbca1f authored Oct 21, 2017 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 75 additions and 8 deletions

caucase/test.py caucase/test.py +40 -1

caucase/wsgi.py caucase/wsgi.py +35 -7

No files found.
--- a/caucase/test.py
+++ b/caucase/test.py
@@ -1298,12 +1298,14 @@ class CaucaseTest(unittest.TestCase):
      'REQUEST_METHOD': 'PUT',
      'CONTENT_TYPE': 'application/json',
      'CONTENT_LENGTH': 'a',
+      'wsgi.input': StringIO(),
    })[0], 400)
    self.assertEqual(request({
      'PATH_INFO': '/cau/crt/renew',
      'REQUEST_METHOD': 'PUT',
      'CONTENT_TYPE': 'application/json',
-      'CONTENT_LENGTH': str(10 * 1024 * 1024 + 1),
+      'CONTENT_LENGTH': str(wsgi.MAX_BODY_LENGTH + 1),
+      'wsgi.input': StringIO(),
    })[0], 413)
    self.assertEqual(request({
      'PATH_INFO': '/cau/crt/renew',
@@ -1317,6 +1319,43 @@ class CaucaseTest(unittest.TestCase):
      'CONTENT_TYPE': 'application/json',
      'wsgi.input': StringIO('{"digest": null}'),
    })[0], UNAUTHORISED_STATUS)
+    self.assertEqual(request({
+      'PATH_INFO': '/cau/crt/revoke',
+      'REQUEST_METHOD': 'PUT',
+      'CONTENT_TYPE': 'application/json',
+      'HTTP_TRANSFER_ENCODING': 'chunked',
+      'wsgi.input': StringIO(
+        'a\r\n' # lower-case hex
+        '{"digest":\r\n'
+        '5 extension must be ignored\r\n'
+        'null,\r\n'
+        'A\r\n' # upper-case hex
+        '"foo":"a",\r\n'
+        'f\r\n'
+        '"payload":"{}"}\r\n'
+        '0\r\n'
+        'tail must also be ignored\r\n',
+      ),
+    })[0], UNAUTHORISED_STATUS)
+    self.assertEqual(request({
+      'PATH_INFO': '/cau/crt/revoke',
+      'REQUEST_METHOD': 'PUT',
+      'CONTENT_TYPE': 'application/json',
+      'HTTP_TRANSFER_ENCODING': 'chunked',
+      'wsgi.input': StringIO(
+        '%x\r\n' % (wsgi.MAX_BODY_LENGTH + 1, ),
+      ),
+    })[0], 413)
+    self.assertEqual(request({
+      'PATH_INFO': '/cau/crt/revoke',
+      'REQUEST_METHOD': 'PUT',
+      'CONTENT_TYPE': 'application/json',
+      'HTTP_TRANSFER_ENCODING': 'chunked',
+      'wsgi.input': StringIO(
+        'a\r\n'
+        '{"digest":\r\r' # bad separator
+      ),
+    })[0], 400)
    self.assertEqual(request({
      'PATH_INFO': '/cau/crt/a',
      'REQUEST_METHOD': 'PUT',

--- a/caucase/wsgi.py
+++ b/caucase/wsgi.py
@@ -94,6 +94,7 @@ STATUS_OK = _getStatus(httplib.OK)
 STATUS_CREATED = _getStatus(httplib.CREATED)
 STATUS_NO_CONTENT = _getStatus(httplib.NO_CONTENT)
 MAX_BODY_LENGTH = 10 * 1024 * 1024 # 10 MB
+MAX_CHUNKED_HEADER_LENGTH = 64 * 1024

 class Application(object):
  """
@@ -194,13 +195,40 @@ class Application(object):
    Raises TooLarge if Content-Length if over MAX_BODY_LENGTH.
    If Content-Length is not set, reads at most MAX_BODY_LENGTH bytes.
    """
-    try:
-      length = int(environ.get('CONTENT_LENGTH', MAX_BODY_LENGTH))
-    except ValueError:
-      raise BadRequest('Invalid Content-Length')
-    if length > MAX_BODY_LENGTH:
-      raise TooLarge('Content-Length limit exceeded')
-    return environ['wsgi.input'].read(length)
+    # XXX: WSGI (...at least the reference implementation in python 2.7)
+    # has no way of sending "100 Continue". So ignore "Expect" header and let
+    # client timeout.
+    infile = environ['wsgi.input']
+    transfer_encoding = environ.get('HTTP_TRANSFER_ENCODING')
+    if transfer_encoding == 'chunked':
+      result = ''
+      while True:
+        chunk_header = infile.readline(MAX_CHUNKED_HEADER_LENGTH + 1)
+        if len(chunk_header) > MAX_CHUNKED_HEADER_LENGTH:
+          raise BadRequest('Chunked encoding header too long')
+        try:
+          length = int(chunk_header.split(' ', 1)[0], 16)
+        except ValueError:
+          raise BadRequest('Invalid chunked encoding header')
+        if not length:
+          trailer = infile.readline(MAX_CHUNKED_HEADER_LENGTH + 1)
+          if len(trailer) > MAX_CHUNKED_HEADER_LENGTH:
+            raise BadRequest('Chunked encoding trailer too long')
+          break
+        if len(result) + length > MAX_BODY_LENGTH:
+          raise TooLarge('Content-Length limit exceeded')
+        result += infile.read(length)
+        if infile.read(2) != '\r\n':
+          raise BadRequest('Invalid chunked encoding separator')
+    else: # Assume identity
+      try:
+        length = int(environ.get('CONTENT_LENGTH', MAX_BODY_LENGTH))
+      except ValueError:
+        raise BadRequest('Invalid Content-Length')
+      if length > MAX_BODY_LENGTH:
+        raise TooLarge('Content-Length limit exceeded')
+      result = infile.read(length)
+    return result

  def _authenticate(self, environ, header_list):
    """