user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH] httpd: reject requests with spaces in header names
Date: Tue, 19 Oct 2021 21:26:15 +0000	[thread overview]
Message-ID: <20211019212615.16341-1-e@80x24.org> (raw)

Malicious clients may attempt HTTP request smuggling this way.
This doesn't affect our current code as we only look for exact
matches, but it could affect other servers behind a
to-be-implemented reverse proxy built around our -httpd.

This doesn't affect users behind varnish at all, nor the
HTTPS/HTTP reverse proxy I use (I don't know about nginx), but
could be passed through by other reverse proxies.

This change is only needed for HTTP::Parser::XS which most users
probably use.  Users of the pure Perl parser (via
PLACK_HTTP_PARSER_PP=1) already hit 400 errors in this case,
so this makes the common XS case consistent with the pure Perl
case.

cf. https://www.mozilla.org/en-US/security/advisories/mfsa2006-33/
---
 lib/PublicInbox/HTTP.pm | 1 +
 t/httpd-corner.t        | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 0f4b5047..18a19250 100644
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -91,6 +91,7 @@ sub event_step { # called by PublicInbox::DS
 		}
 		$self->do_read($rbuf, 8192, length($$rbuf)) or return;
 	}
+	return quit($self, 400) if grep(/\s/, keys %env); # stop smugglers
 	$$rbuf = substr($$rbuf, $r);
 	my $len = input_prepare($self, \%env) //
 		return write_err($self, undef); # EMFILE/ENFILE
diff --git a/t/httpd-corner.t b/t/httpd-corner.t
index cec754c9..0a613a9e 100644
--- a/t/httpd-corner.t
+++ b/t/httpd-corner.t
@@ -82,7 +82,12 @@ if ('test worker death') {
 	like($body, qr/\A[0-9]+\z/, '/pid response');
 	isnt($body, $pid, 'respawned worker');
 }
-
+{
+	my $conn = conn_for($sock, 'Header spaces bogus');
+	$conn->write("GET /empty HTTP/1.1\r\nSpaced-Out : 3\r\n\r\n");
+	$conn->read(my $buf, 4096);
+	like($buf, qr!\AHTTP/1\.[0-9] 400 !, 'got 400 response on bad request');
+}
 {
 	my $conn = conn_for($sock, 'streaming callback');
 	$conn->write("GET /callback HTTP/1.0\r\n\r\n");

                 reply	other threads:[~2021-10-19 21:26 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211019212615.16341-1-e@80x24.org \
    --to=e@80x24.org \
    --cc=meta@public-inbox.org \
    --subject='Re: [PATCH] httpd: reject requests with spaces in header names' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://80x24.org/public-inbox.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).