fix: HTTP request smuggling via Transfer-Encoding list and redirect credential leak

[mohammadmseet-hue]

Summary

Two security fixes in dart:io HTTP implementation:

1. HTTP Request Smuggling via Transfer-Encoding list parsing

File: sdk/lib/_http/http_parser.dart:751

RFC 7230 section 3.3.1 allows Transfer-Encoding to be a comma-separated list (e.g. gzip, chunked). The parser only checked for an exact match on "chunked", so it missed chunked encoding when other encodings preceded it in the list.

This creates a CL/TE desync (HTTP request smuggling) when a Dart HTTP server runs behind a compliant reverse proxy. The proxy correctly parses the list and reads a chunked body, while Dart falls back to Content-Length, causing the two to disagree on message boundaries.

Fix: Parse Transfer-Encoding as a comma-separated list and check each token individually for "chunked".

2. shouldCopyHeaderOnRedirect parameter swap — credential leak on redirect

File: sdk/lib/_http/http_impl.dart:3107

The call site passed resolved (redirect target URL) as originalUrl and previous.uri (original request URL) as redirectUri, swapping the intended parameter order. This caused the _isSubdomain check to verify the wrong direction:

• Redirect sub.example.com → example.com: Authorization/Cookie headers leaked to parent domain (should be stripped)
• Redirect example.com → sub.example.com: Headers stripped (should be kept)

Fix: Swap parameters to match the function signature: shouldCopyHeaderOnRedirect(header, previous.uri, resolved).

Test plan

• Verify Transfer-Encoding: gzip, chunked is now parsed as chunked encoding
• Verify Transfer-Encoding: chunked still works (exact match path preserved)
• Verify auth headers are stripped when redirecting to parent domains
• Verify auth headers are kept when redirecting to subdomains
• Run existing _http tests

[copybara-service]

Thank you for your contribution! This project uses Gerrit for code reviews. Your pull request has automatically been converted into a code review at:

https://dart-review.googlesource.com/c/sdk/+/493600

Please wait for a developer to review your code review at the above link; you can speed up the review if you sign into Gerrit and manually add a reviewer that has recently worked on the relevant code. See CONTRIBUTING.md to learn how to upload changes to Gerrit directly.

Additional commits pushed to this PR will update both the PR and the corresponding Gerrit CL. After the review is complete on the CL, your reviewer will merge the CL (automatically closing this PR).

[kevmoo]

A TEST that demonstrates the problem would be amazing.

[mohammadmseet-hue]

@kevmoo good call — I added two regression tests in tests/standalone/io/http_parser_test.dart exercising the fix:

1. POST with Content-Length: 10 and Transfer-Encoding: gzip, chunked (the CL/TE desync case).
2. POST with Transfer-Encoding: identity, chunked (general comma-separated list case).

Both assert chunked=true and that the chunked body bytes are received correctly. On the unpatched parser they fail at Expect.equals(-1, incoming.transferLength) because the parser falls back to Content-Length mode; with the fix they pass.

[copybara-service]

https://dart-review.googlesource.com/c/sdk/+/493600 has been updated with the latest commits from this pull request.

[copybara-service]

https://dart-review.googlesource.com/c/sdk/+/493600 has been updated with the latest commits from this pull request.

[brianquinlan]

Hi @mohammadmseet-hue thanks very much for the PR! I'm just waiting for the tests to finish running and then I'll merge it.

[copybara-service]

Gerrit CL has been approved, please wait for a reviewer to merge it.