Project

General

Profile

Feature #2985

stricter request header parsing

Added by sinister_kid 2 months ago. Updated 2 months ago.

Status:
Patch Pending
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
2019-09-30
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Server accepts and normalizes invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a lighthttpd server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy.

Similar bug in GO:
https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
Request smuggling attack:
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn


Files

#1

Updated by stbuehler 2 months ago

Hi, thanks for reporting this!

I disagree with RFC 7230 a little bit on this though: I think accepting and normalizing such headers should be acceptable behavior - the real problem are proxies which forward broken requests (without normalizing them) but still rely on having parsed them correctly (if they don't mix streams from different clients and don't cache there is probably no issue).

I'm not saying we shouldn't (or won't) change this, but I don't consider this CVE-worthy.

#2

Updated by sinister_kid 2 months ago

I agree with you on RFC and this issue not being CVE-worthy.
Just wanted to give a heads-up on this type of problems.

Thanks for your hard work!

#3

Updated by gstrauss 2 months ago

  • Tracker changed from Bug to Feature
  • Category set to core
  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.55

This is already updated on my development branch. A response was previously sent to a reporter who sent email to security@

By default, lighttpd parses (and normalizes) requests before reverse-proxying them to backends. Doing so thwarts the attacks mentioned in https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn to servers upstream from lighttpd.

However, as mentioned by stbuehler above, proxies downstream from lighttpd might pass anything to lighttpd.

The change that will be made in the next release of lighttpd will be to reject requests with space or tab after field-name and before the colon, but only when lighttpd is configured in the (default) mode of strict http header parsing.

#4

Updated by gstrauss 2 months ago

  • Subject changed from Incorrect header normalization to stricter header normalization
#5

Updated by gstrauss 2 months ago

  • Subject changed from stricter header normalization to stricter request header parsing
#6

Updated by sinister_kid 2 months ago

Ooops, it was me who send the email, but response end up in my spam folder. Thanks for quick response guys.
Cheers!

Also available in: Atom