about summary refs log tree commit homepage
path: root/lib/PublicInbox/HTTP.pm
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2021-10-19 21:26:15 +0000
committerEric Wong <e@80x24.org>2021-10-20 10:37:34 +0000
commit49e653848f34a179f38c1738f537f69c1205e92a (patch)
tree20e7ed69eda55a8076ea757dd325c4f27d6d55cb /lib/PublicInbox/HTTP.pm
parent9f8e28a80374e905c831d2d5f3a45c6a9d708fa3 (diff)
downloadpublic-inbox-49e653848f34a179f38c1738f537f69c1205e92a.tar.gz
Malicious clients may attempt HTTP request smuggling this way.
This doesn't affect our current code as we only look for exact
matches, but it could affect other servers behind a
to-be-implemented reverse proxy built around our -httpd.

This doesn't affect users behind varnish at all, nor the
HTTPS/HTTP reverse proxy I use (I don't know about nginx), but
could be passed through by other reverse proxies.

This change is only needed for HTTP::Parser::XS which most users
probably use.  Users of the pure Perl parser (via
PLACK_HTTP_PARSER_PP=1) already hit 400 errors in this case,
so this makes the common XS case consistent with the pure Perl
case.

cf. https://www.mozilla.org/en-US/security/advisories/mfsa2006-33/
Diffstat (limited to 'lib/PublicInbox/HTTP.pm')
-rw-r--r--lib/PublicInbox/HTTP.pm1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 0f4b5047..18a19250 100644
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -91,6 +91,7 @@ sub event_step { # called by PublicInbox::DS
                 }
                 $self->do_read($rbuf, 8192, length($$rbuf)) or return;
         }
+        return quit($self, 400) if grep(/\s/, keys %env); # stop smugglers
         $$rbuf = substr($$rbuf, $r);
         my $len = input_prepare($self, \%env) //
                 return write_err($self, undef); # EMFILE/ENFILE