-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential HTTP Response Splitting Vulnerability #1227
Comments
Actually, with the
|
I'm happy to try to work up a pull request if that's the best way to solve this potential vulnerability. Though I do admit to not being super familiar with this area of gunicorn, so it may take some time. |
i fail to see how it affects gunicorn there. in the worst case it seems to accept 2 requests. What dis i missed? |
Well, I may not be a security expert. But this vulnerability has its own CVE number, not to mention the urgency in which it was fixed in the aforementioned webob and waitress projects. At a minimum that suggests to me it should be fixed in gunicorn. At worst, I think this allows hiding an entire bogus response inside an otherwise trusted response; webob explicitly checks the redirect headers for this, because they often allow user input--think a link shortener service that embeds a malicious page. (Then there's the DOS the other projects exhibit; I haven't produced them yet with gunicorn, but I also haven't proven them impossible.) |
ok i reread the issue. for us. the question we should address is if it's the role of the server to sanitise the response before sending it. actually i'm not sure its our role. rather the role of the application. But i would like to hear what people think about it. |
Apache's mod_wsgi sanitizes. As does waitress and gevent. And PEP3333 does explicitly say that the server should sanitize at least some of these values (and the waitress devs agree that more sanitization should be done) (previously cited links). (Obviously I'm biased when it comes to gevent :) |
no PEP3333 says
So it's the role of the application to ensure about their format. The parts other refer is about checking we don't set hop headers or forgot one:
it is not really efficient to do that work twice. especially since that error can only be created by the apllication. We need to think a little more about it imo :) |
PEP3333 also says
And blatant but easily missed security vulnerabilities are pretty much an error, at least according to the interpretation of the other projects (that cite came from waitress, IIRC). Not to mention failing to comply with the spec being an error. |
Client should protect themselves. But anyway I was about to say that we may want to check if the header is valid and return an error in that case if not. It can easily be done there: Let find an efficient way to check it. |
also while we are here we should not stop to this issue and check completely if the header is valid or not :) |
In principle I agree. But in practice, do they? Almost certainly not. This seems to me similar to PEP475 about interrupted syscalls: everyone should check for it, but no one does. So it's much better to do it at the choke points once then force everyone to do it or pay the price. |
If there are potential security vulnerabilities :) I will happily update gevent to do so as well. |
@jamadden opened the PR above. It should be compliant with the PEP3333. Additionally it makes sure that each header_value must not include any control characters, including carriage returns or linefeeds. |
@benoitc Thanks! |
@benoitc glad to see this fixed quickly! Will you be pushing out a new release with this fix included soon? |
i will make a release tomorrow. Couldn't make it today :( |
fix benoitc#1227 (cherry picked from commit 1e10a02)
This header injection vulnerability was recently reported to and fixed in both waitress (WSGI server) and WebOb (and waitress has an outstanding issues to discuss further possible vulnerabilities). I also made changes to gevent for these issues.
gunicorn seems to be partly (but not entirely) vulnerable to these issues as well, across at least the
sync
andgevent
workers.Here are three apps, each producing different kinds of bad output. The
badvalue
case (invalid values in the header values) is probably the most likely injection vulnerability, with the next being thebadname
case (invalid value in the header names) and the least likely being thebadstatus
case (invalid value in the status line):Here's what happens hitting
badvalue
. We get a bunch of duplicate headers that might confuse clients:Here's what happens hitting
badname
. The worst I was able to do was produce malformed HTTP; on other servers I was able to cause clients to hang, but I haven't reproduced that with gunicorn (yet):Finally, here's
badstatus
. Here, we completely override the rest of the response:Should gunicorn check for and raise exceptions for these type of malformed values in
start_response
?The text was updated successfully, but these errors were encountered: