Project

General

Profile

Bug #421

mod_proxy vulnerable to resource starvation

Added by Anonymous over 11 years ago. Updated over 1 year ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_proxy
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Mod_proxy was recently changed to NOT forward the "Connection" header to the backend, since we currently rely on the server to close the connection as soon as the request finishes.

However, the header removal should be even more strict than that, if we are to assume HTTP/1.0 behaviour.

  • Forwarding the "Keep-Alive" and/or "Host" header confuses some servers to go into 1.1 mode and/or keep the connection although there is no "Connection" header.
  • Header comparison of "Connection" is performed in a case-sensitive style. Many webservers parse their headers in a case-INsensitive way. Therefore a user can potentially cause a DoS simply by initiating lots of connections toward a proxied URL and include a header like "connection: keep-alive" (with lower caps).

-- conny

lighttpd.mod_proxy.caseless-compare.patch (912 Bytes) lighttpd.mod_proxy.caseless-compare.patch [PATCH] Remove forwarding "Connection", "Host" and "Keep-Alive" -- conny Anonymous, 2005-12-21 15:07

Associated revisions

Revision 3093 (diff)
Added by stbuehler over 1 year ago

[mod_proxy] use case-insensitive comparision to filter headers, send Connection: Close to backend (fixes #421)

From: Stefan Bühler <>

Revision f56fe331 (diff)
Added by stbuehler over 1 year ago

[mod_proxy] use case-insensitive comparision to filter headers, send Connection: Close to backend (fixes #421)

From: Stefan Bühler <>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3093 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1 Updated by Anonymous over 11 years ago

The "stalled" state (waiting for server to close channel) is similar to the one reported in #415.

-- conny

#2 Updated by gstrauss over 1 year ago

Submitted pull request https://github.com/lighttpd/lighttpd1.4/pull/39 to unconditionally set Connection: close with proxied HTTP/1.0 request. The client request headers Connection and Proxy-Connection were already being filtered.

#3 Updated by stbuehler over 1 year ago

  • Description updated (diff)
  • Assignee deleted (jan)
  • Target version set to 1.4.40

oO. It seems no one cared about the case-sensitive header comparison for a long time...

#4 Updated by stbuehler over 1 year ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r3093.

Also available in: Atom