-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP parser handles line terminators incorrectly #114
Comments
Hi! Very nice smuggling opportunity here if you can get the other layer to ignore this part :) 👏🏻👏🏻👏🏻 The second request issue is a no-brainer must fix. But the first request...? I'm not sure that's a parsing error or a standard error. HTTP/2 allows for a wider range of HTTP header values. I think an More importantly does this expose possible attack vectors...? |
I think
was what bothered me the most. |
System Information
Description
The HTTP parser is in violation of RFC7230§3.2:
Also, in 3.5. Message Parsing Robustness:
But it appears the parser is using \r and \n almost interchangeably.
Rack App to Reproduce
Testing code
First example
Second example
Expected behavior
In the first example, the request should be discarded, as \r is not a valid field-vchar as per the RFC.
In the second example, it would be safest to discard the request (and close connection to the client).
Actual behavior
First example
The request is accepted and the output of the command above is:
demonstrating that the \r has become part of the value of the header
U
.Second example
The \r\n\r sequence is understood as a terminator for the request, resulting in two requests being handled by Iodine:
The text was updated successfully, but these errors were encountered: