Tighten content-length header parsing in shared spdy code, not flag protected

This CL is to fix crbug.com/596576.

PiperOrigin-RevId: 325516552
Change-Id: I64dc8c9127b6b40b959172fd0c42bb6697899098

quic/core/http/spdy_utils.cc

diff --git a/quic/core/http/spdy_utils.cc b/quic/core/http/spdy_utils.cc
index 98d22cb..69dd3d0 100644
--- a/quic/core/http/spdy_utils.cc
+++ b/quic/core/http/spdy_utils.cc
@@ -34,7 +34,8 @@
         quiche::QuicheTextUtils::Split(content_length_header, '\0');
     for (const quiche::QuicheStringPiece& value : values) {
       uint64_t new_value;
-      if (!quiche::QuicheTextUtils::StringToUint64(value, &new_value)) {
+      if (!quiche::QuicheTextUtils::StringToUint64(value, &new_value) ||
+          !quiche::QuicheTextUtils::IsAllDigits(value)) {
         QUIC_DLOG(ERROR)
             << "Content length was either unparseable or negative.";
         return false;

quic/core/http/spdy_utils_test.cc

diff --git a/quic/core/http/spdy_utils_test.cc b/quic/core/http/spdy_utils_test.cc
index 55d4706..dd8079e 100644
--- a/quic/core/http/spdy_utils_test.cc
+++ b/quic/core/http/spdy_utils_test.cc
@@ -141,6 +141,20 @@
   EXPECT_EQ(9000000000, content_length);
 }
 
+TEST_F(CopyAndValidateHeaders, NonDigitContentLength) {
+  // Section 3.3.2 of RFC 7230 defines content-length as being only digits.
+  // Number parsers might accept symbols like a leading plus; test that this
+  // fails to parse.
+  auto headers = FromList({{"content-length", "+123"},
+                           {"foo", "foovalue"},
+                           {"bar", "barvalue"},
+                           {"baz", ""}});
+  int64_t content_length = -1;
+  SpdyHeaderBlock block;
+  EXPECT_FALSE(
+      SpdyUtils::CopyAndValidateHeaders(*headers, &content_length, &block));
+}
+
 TEST_F(CopyAndValidateHeaders, MultipleValues) {
   auto headers = FromList({{"foo", "foovalue"},
                            {"bar", "barvalue"},