Validate chunk size in Chunked Encoding are HEXDIG

RFC7230 states that a chunk-size should be 1*HEXDIG, this is now
validated before passing the resulting string to int() which would also
parse other formats for hex, such as: `0x01` as `1` and `+0x01` as `1`.
This would lead to a potential for a frontend proxy server and waitress
to disagree on where a chunk started and ended, thereby potentially
leading to request smuggling.

With the increased validation if the size is not just hex digits,
Waitress now returns a Bad Request and stops processing the request.

1 files changed, 14 insertions, 5 deletions

diff --git a/src/waitress/receiver.py b/src/waitress/receiver.py
index 6289d1a..2f0b734 100644
--- a/src/waitress/receiver.py
+++ b/src/waitress/receiver.py
@@ -150,12 +150,21 @@ class ChunkedReceiver:
                                 self.all_chunks_received = True
 
                                 break
+
                             line = line[:semi]
-                        try:
-                            sz = int(line.strip(), 16)  # hexadecimal
-                        except ValueError:  # garbage in input
-                            self.error = BadRequest("garbage in chunked encoding input")
-                            sz = 0
+
+                        # Remove any whitespace
+                        line = line.strip()
+
+                        if not ONLY_HEXDIG_RE.match(line):
+                            self.error = BadRequest("Invalid chunk size")
+                            self.all_chunks_received = True
+
+                            break
+
+                        # Can not fail due to matching against the regular
+                        # expression above
+                        sz = int(line.strip(), 16)  # hexadecimal
 
                         if sz > 0:
                             # Start a new chunk.