Project

General

Profile

Actions

Feature #2985

closed

stricter request header parsing

Added by sinister_kid about 5 years ago. Updated almost 5 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Server accepts and normalizes invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a lighthttpd server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy.

Similar bug in GO:
https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
Request smuggling attack:
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn


Files

Actions #1

Updated by stbuehler about 5 years ago

Hi, thanks for reporting this!

I disagree with RFC 7230 a little bit on this though: I think accepting and normalizing such headers should be acceptable behavior - the real problem are proxies which forward broken requests (without normalizing them) but still rely on having parsed them correctly (if they don't mix streams from different clients and don't cache there is probably no issue).

I'm not saying we shouldn't (or won't) change this, but I don't consider this CVE-worthy.

Actions #2

Updated by sinister_kid about 5 years ago

I agree with you on RFC and this issue not being CVE-worthy.
Just wanted to give a heads-up on this type of problems.

Thanks for your hard work!

Actions #3

Updated by gstrauss about 5 years ago

  • Tracker changed from Bug to Feature
  • Category set to core
  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.55

This is already updated on my development branch. A response was previously sent to a reporter who sent email to security@

By default, lighttpd parses (and normalizes) requests before reverse-proxying them to backends. Doing so thwarts the attacks mentioned in https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn to servers upstream from lighttpd.

However, as mentioned by stbuehler above, proxies downstream from lighttpd might pass anything to lighttpd.

The change that will be made in the next release of lighttpd will be to reject requests with space or tab after field-name and before the colon, but only when lighttpd is configured in the (default) mode of strict http header parsing.

Actions #4

Updated by gstrauss about 5 years ago

  • Subject changed from Incorrect header normalization to stricter header normalization
Actions #5

Updated by gstrauss about 5 years ago

  • Subject changed from stricter header normalization to stricter request header parsing
Actions #6

Updated by sinister_kid about 5 years ago

Ooops, it was me who send the email, but response end up in my spam folder. Thanks for quick response guys.
Cheers!

Actions #7

Updated by gstrauss almost 5 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom