Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fastcgi: Protect against requests with null bytes in the path #4614

Merged
merged 1 commit into from Mar 7, 2022
Merged

fastcgi: Protect against requests with null bytes in the path #4614

merged 1 commit into from Mar 7, 2022

Conversation

francislavoie
Copy link
Member

Followup to #4574, credit to @MisterDuval for reporting the issue and finding a reproduce case.

@francislavoie francislavoie added bug 🐞 Something isn't working under review 🧐 Review is pending before merging labels Mar 5, 2022
@francislavoie francislavoie added this to the v2.5.0 milestone Mar 5, 2022
@francislavoie francislavoie requested a review from mholt March 5, 2022 02:27
@francislavoie francislavoie mentioned this pull request Mar 5, 2022
Closed
@mholt
Copy link
Member

mholt commented Mar 5, 2022

Thank you Francis. It would be much appreciated if @MisterDuval could confirm that this patch fixes the issue for him, too.

@MisterDuval
Copy link

@mholt that's OK for me, I'm getting a "400 Bad Request", thanks for this patch @francislavoie !

@mholt mholt merged commit c8f2834 into master Mar 7, 2022
@mholt mholt deleted the fastcgi-null-path-protection branch March 7, 2022 17:06
@mholt mholt removed the under review 🧐 Review is pending before merging label Mar 7, 2022
@midnight-wonderer
Copy link

FWIW, this class of issue is called parser differential; it is considered to be a security flaw.
You may fix it now for FastCGI by making the parser inclined to what FastCGI expects, but as long as the differential exists, there might be a way to exploit it; better inform security personnel if you don't do it already.
The proper fix might be better implemented at the upstream server.

@francislavoie
Copy link
Member Author

I completely agree @midnight-wonderer, as we've said in the linked issue. I really believe this should be fixed in PHP's fastcgi implementation.

@mholt
Copy link
Member

mholt commented Mar 20, 2022

Yep, also a hard agree here.

@MisterDuval
Copy link

MisterDuval commented Mar 20, 2022 via email

@midnight-wonderer
Copy link

Because by avoiding it here, you may introduce other vulnerabilities to everyone else.
The case of FastCGI in the example is only one specific case, where you have FastCGI on the inside with Caddy as a frontend server.

In a not so simple case, someone may use Caddy internally between their own services; in that setup, making Caddy reject the request may have other implications. For example, it might mean an attacker can make their application break midway; did something but exit abruptly, which might imply vulnerabilities depending on the context.

The nature of parser differential is the differential part; by propagating the difference from FastCGI to Caddy, the issue might simply move around. Worse, escalating, the differential will be used in bigger vulnerability chains.

As long as the differences exist, people will find a way to exploit them.
Here is an example of how it has been exploits in a browser: https://youtu.be/lG7U3fuNw3A
Who would have thought, right? This is even stemmed from the HTML specs themselves.

@mholt mholt mentioned this pull request Jun 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt mholt approved these changes

Assignees
No one assigned
Labels
bug 🐞 Something isn't working
Projects
None yet
Milestone
v2.5.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@francislavoie @mholt @MisterDuval @midnight-wonderer