netty
diff --git a/‎codec-http/src/main/java/io/netty/handler/codec/http/HttpDecoderConfig.java‎
Lines changed: 30 additions & 0 deletions b/‎codec-http/src/main/java/io/netty/handler/codec/http/HttpDecoderConfig.java‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java‎
Lines changed: 42 additions & 19 deletions b/‎codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java‎
Lines changed: 42 additions & 19 deletions
diff --git a/‎codec-http/src/main/java/io/netty/handler/codec/http/InvalidChunkExtensionException.java‎
Lines changed: 45 additions & 0 deletions b/‎codec-http/src/main/java/io/netty/handler/codec/http/InvalidChunkExtensionException.java‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎codec-http/src/main/java/io/netty/handler/codec/http/InvalidChunkTerminationException.java‎
Lines changed: 45 additions & 0 deletions b/‎codec-http/src/main/java/io/netty/handler/codec/http/InvalidChunkTerminationException.java‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎codec-http/src/main/java/io/netty/handler/codec/http/InvalidLineSeparatorException.java‎
Lines changed: 48 additions & 0 deletions b/‎codec-http/src/main/java/io/netty/handler/codec/http/InvalidLineSeparatorException.java‎
Lines changed: 48 additions & 0 deletions
@@ -34,6 +34,7 @@ public final class HttpDecoderConfig implements Cloneable {
     private int maxInitialLineLength = HttpObjectDecoder.DEFAULT_MAX_INITIAL_LINE_LENGTH;
     private int maxHeaderSize = HttpObjectDecoder.DEFAULT_MAX_HEADER_SIZE;
     private int initialBufferSize = HttpObjectDecoder.DEFAULT_INITIAL_BUFFER_SIZE;
+    private boolean strictLineParsing = HttpObjectDecoder.DEFAULT_STRICT_LINE_PARSING;
 
     public int getInitialBufferSize() {
         return initialBufferSize;
@@ -217,6 +218,35 @@ public HttpDecoderConfig setTrailersFactory(HttpHeadersFactory trailersFactory)
         return this;
     }
 
+    public boolean isStrictLineParsing() {
+        return strictLineParsing;
+    }
+
+    /**
+     * The RFC 9112 specification for the HTTP protocol says that the initial start-line, and the following header
+     * field-lines, must be separated by a Carriage Return (CR) and Line Feed (LF) octet pair, but also offers that
+     * implementations "MAY" accept just a Line Feed octet as a separator.
+     * <p>
+     * Parsing leniencies can increase compatibility with a wider range of implementations, but can also cause
+     * security vulnerabilities, when multiple systems disagree on the meaning of leniently parsed messages.
+     * <p>
+     * When <em>strict line parsing</em> is enabled ({@code true}), then Netty will enforce that start- and header
+     * field-lines MUST be separated by a CR LF octet pair, and will produce messagas with failed
+     * {@link io.netty.handler.codec.DecoderResult}s.
+     * <p>
+     * When <em>strict line parsing</em> is disabled ({@code false}), then Netty will accept lone LF octets as line
+     * seperators for the start- and header field-lines.
+     * <p>
+     * See <a href="https://datatracker.ietf.org/doc/html/rfc9112#name-message-format">RFC 9112 Section 2.1</a>.
+     * @param strictLineParsing Whether <em>strict line parsing</em> should be enabled ({@code true}),
+     * or not ({@code false}).
+     * @return This decoder config.
+     */
+    public HttpDecoderConfig setStrictLineParsing(boolean strictLineParsing) {
+        this.strictLineParsing = strictLineParsing;
+        return this;
+    }
+
     @Override
     public HttpDecoderConfig clone() {
         try {
 
@@ -26,6 +26,7 @@
 import io.netty.util.AsciiString;
 import io.netty.util.ByteProcessor;
 import io.netty.util.internal.StringUtil;
+import io.netty.util.internal.SystemPropertyUtil;
 
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -151,6 +152,23 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
     public static final boolean DEFAULT_VALIDATE_HEADERS = true;
     public static final int DEFAULT_INITIAL_BUFFER_SIZE = 128;
     public static final boolean DEFAULT_ALLOW_DUPLICATE_CONTENT_LENGTHS = false;
+    public static final boolean DEFAULT_STRICT_LINE_PARSING =
+            SystemPropertyUtil.getBoolean("io.netty.handler.codec.http.defaultStrictLineParsing", true);
+
+    private static final Runnable THROW_INVALID_CHUNK_EXTENSION = new Runnable() {
+        @Override
+        public void run() {
+            throw new InvalidChunkExtensionException();
+        }
+    };
+
+    private static final Runnable THROW_INVALID_LINE_SEPARATOR = new Runnable() {
+        @Override
+        public void run() {
+            throw new InvalidLineSeparatorException();
+        }
+    };
+
     private final int maxChunkSize;
     private final boolean chunkedSupported;
     private final boolean allowPartialChunks;
@@ -163,6 +181,7 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
     protected final HttpHeadersFactory trailersFactory;
     private final boolean allowDuplicateContentLengths;
     private final ByteBuf parserScratchBuffer;
+    private final Runnable defaultStrictCRLFCheck;
     private final HeaderParser headerParser;
     private final LineParser lineParser;
 
@@ -315,6 +334,7 @@ protected HttpObjectDecoder(HttpDecoderConfig config) {
         checkNotNull(config, "config");
 
         parserScratchBuffer = Unpooled.buffer(config.getInitialBufferSize());
+        defaultStrictCRLFCheck = config.isStrictLineParsing() ? THROW_INVALID_LINE_SEPARATOR : null;
         lineParser = new LineParser(parserScratchBuffer, config.getMaxInitialLineLength());
         headerParser = new HeaderParser(parserScratchBuffer, config.getMaxHeaderSize());
         maxChunkSize = config.getMaxChunkSize();
@@ -344,7 +364,7 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
         case SKIP_CONTROL_CHARS:
             // Fall-through
         case READ_INITIAL: try {
-            ByteBuf line = lineParser.parse(buffer);
+            ByteBuf line = lineParser.parse(buffer, defaultStrictCRLFCheck);
             if (line == null) {
                 return;
             }
@@ -449,11 +469,11 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
             return;
         }
         /*
-         * everything else after this point takes care of reading chunked content. basically, read chunk size,
+         * Everything else after this point takes care of reading chunked content. Basically, read chunk size,
          * read chunk, read and ignore the CRLF and repeat until 0
          */
         case READ_CHUNK_SIZE: try {
-            ByteBuf line = lineParser.parse(buffer);
+            ByteBuf line = lineParser.parse(buffer, THROW_INVALID_CHUNK_EXTENSION);
             if (line == null) {
                 return;
             }
@@ -491,16 +511,16 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
             // fall-through
         }
         case READ_CHUNK_DELIMITER: {
-            final int wIdx = buffer.writerIndex();
-            int rIdx = buffer.readerIndex();
-            while (wIdx > rIdx) {
-                byte next = buffer.getByte(rIdx++);
-                if (next == HttpConstants.LF) {
+            if (buffer.readableBytes() >= 2) {
+                int rIdx = buffer.readerIndex();
+                if (buffer.getByte(rIdx) == HttpConstants.CR &&
+                        buffer.getByte(rIdx + 1) == HttpConstants.LF) {
+                    buffer.skipBytes(2);
                     currentState = State.READ_CHUNK_SIZE;
-                    break;
+                } else {
+                    out.add(invalidChunk(buffer, new InvalidChunkTerminationException()));
                 }
             }
-            buffer.readerIndex(rIdx);
             return;
         }
         case READ_CHUNK_FOOTER: try {
@@ -723,7 +743,7 @@ private State readHeaders(ByteBuf buffer) {
 
         final HeaderParser headerParser = this.headerParser;
 
-        ByteBuf line = headerParser.parse(buffer);
+        ByteBuf line = headerParser.parse(buffer, defaultStrictCRLFCheck);
         if (line == null) {
             return null;
         }
@@ -745,7 +765,7 @@ private State readHeaders(ByteBuf buffer) {
                 splitHeader(lineContent, startLine, lineLength);
             }
 
-            line = headerParser.parse(buffer);
+            line = headerParser.parse(buffer, defaultStrictCRLFCheck);
             if (line == null) {
                 return null;
             }
@@ -835,7 +855,7 @@ protected void handleTransferEncodingChunkedWithContentLength(HttpMessage messag
 
     private LastHttpContent readTrailingHeaders(ByteBuf buffer) {
         final HeaderParser headerParser = this.headerParser;
-        ByteBuf line = headerParser.parse(buffer);
+        ByteBuf line = headerParser.parse(buffer, defaultStrictCRLFCheck);
         if (line == null) {
             return null;
         }
@@ -878,7 +898,7 @@ private LastHttpContent readTrailingHeaders(ByteBuf buffer) {
                 name = null;
                 value = null;
             }
-            line = headerParser.parse(buffer);
+            line = headerParser.parse(buffer, defaultStrictCRLFCheck);
             if (line == null) {
                 return null;
             }
@@ -1147,7 +1167,7 @@ private static class HeaderParser {
             this.maxLength = maxLength;
         }
 
-        public ByteBuf parse(ByteBuf buffer) {
+        public ByteBuf parse(ByteBuf buffer, Runnable strictCRLFCheck) {
             final int readableBytes = buffer.readableBytes();
             final int readerIndex = buffer.readerIndex();
             final int maxBodySize = maxLength - size;
@@ -1174,6 +1194,9 @@ public ByteBuf parse(ByteBuf buffer) {
                 // Drop CR if we had a CRLF pair
                 endOfSeqIncluded = indexOfLf - 1;
             } else {
+                if (strictCRLFCheck != null) {
+                    strictCRLFCheck.run();
+                }
                 endOfSeqIncluded = indexOfLf;
             }
             final int newSize = endOfSeqIncluded - readerIndex;
@@ -1209,18 +1232,18 @@ private final class LineParser extends HeaderParser {
         }
 
         @Override
-        public ByteBuf parse(ByteBuf buffer) {
+        public ByteBuf parse(ByteBuf buffer, Runnable strictCRLFCheck) {
             // Suppress a warning because HeaderParser.reset() is supposed to be called
             reset();
             final int readableBytes = buffer.readableBytes();
             if (readableBytes == 0) {
                 return null;
             }
-            final int readerIndex = buffer.readerIndex();
-            if (currentState == State.SKIP_CONTROL_CHARS && skipControlChars(buffer, readableBytes, readerIndex)) {
+            if (currentState == State.SKIP_CONTROL_CHARS &&
+                    skipControlChars(buffer, readableBytes, buffer.readerIndex())) {
                 return null;
             }
-            return super.parse(buffer);
+            return super.parse(buffer, strictCRLFCheck);
         }
 
         private boolean skipControlChars(ByteBuf buffer, int readableBytes, int readerIndex) {
 
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.http;
+
+import io.netty.handler.codec.CorruptedFrameException;
+
+/**
+ * Thrown when HTTP chunk extensions could not be parsed, typically due to incorrect use of CR LF delimiters.
+ * <p>
+ * <a href="https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding">RFC 9112</a>
+ * specifies that chunk header lines must be terminated in a CR LF pair,
+ * and that a lone LF octet is not allowed within the chunk header line.
+ */
+public final class InvalidChunkExtensionException extends CorruptedFrameException {
+    private static final long serialVersionUID = 536224937231200736L;
+
+    public InvalidChunkExtensionException() {
+        super("Line Feed must be preceded by Carriage Return when terminating HTTP chunk header lines");
+    }
+
+    public InvalidChunkExtensionException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public InvalidChunkExtensionException(String message) {
+        super(message);
+    }
+
+    public InvalidChunkExtensionException(Throwable cause) {
+        super(cause);
+    }
+}
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.http;
+
+import io.netty.handler.codec.CorruptedFrameException;
+
+/**
+ * Thrown when HTTP chunks could not be parsed, typically due to incorrect use of CR LF delimiters.
+ * <p>
+ * <a href="https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding">RFC 9112</a>
+ * specifies that chunk bodies must be terminated in a CR LF pair,
+ * and that the delimiter must follow the given chunk-size number of octets in chunk-data.
+ */
+public final class InvalidChunkTerminationException extends CorruptedFrameException {
+    private static final long serialVersionUID = 536224937231200736L;
+
+    public InvalidChunkTerminationException() {
+        super("Chunk data sections must be terminated by a CR LF octet pair");
+    }
+
+    public InvalidChunkTerminationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public InvalidChunkTerminationException(String message) {
+        super(message);
+    }
+
+    public InvalidChunkTerminationException(Throwable cause) {
+        super(cause);
+    }
+}
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.http;
+
+import io.netty.handler.codec.DecoderException;
+
+/**
+ * Thrown when {@linkplain HttpDecoderConfig#isStrictLineParsing() strict line parsing} is enabled,
+ * and HTTP start- and header field-lines are not seperated by CR LF octet pairs.
+ * <p>
+ * Strict line parsing is enabled by default since Netty 4.1.124 and 4.2.4.
+ * This default can be overridden by setting the {@value HttpObjectDecoder#PROP_DEFAULT_STRICT_LINE_PARSING} system
+ * property to {@code false}.
+ * <p>
+ * See <a href="https://datatracker.ietf.org/doc/html/rfc9112#name-message-format">RFC 9112 Section 2.1</a>.
+ */
+public final class InvalidLineSeparatorException extends DecoderException {
+    private static final long serialVersionUID = 536224937231200736L;
+
+    public InvalidLineSeparatorException() {
+        super("Line Feed must be preceded by Carriage Return when terminating HTTP start- and header field-lines");
+    }
+
+    public InvalidLineSeparatorException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public InvalidLineSeparatorException(String message) {
+        super(message);
+    }
+
+    public InvalidLineSeparatorException(Throwable cause) {
+        super(cause);
+    }
+}