Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Header Truncation #2275

Closed
kenballus opened this issue Jun 26, 2023 · 0 comments · Fixed by #2278
Closed

Header Truncation #2275

kenballus opened this issue Jun 26, 2023 · 0 comments · Fixed by #2278
Assignees
@scaprile

Comments

@kenballus
Copy link

Description

The headers can be truncated in the example HTTP server by sending a header with no name.

Instruction to Reproduce

# Download and build the server
$ git clone https://github.com/cesanta/mongoose && cd mongoose

# Start the server
$ make &

# Observe that the server times out because the Content-Length header is interpreted:
$ printf 'GET / HTTP/1.1\r\nContent-Length: 1\r\n\r\n' | nc localhost 8000

# Observe that the server does not time out, because it stops interpreting headers after the empty header:
$ printf 'GET / HTTP/1.1\r\n:\r\nContent-Length: 1\r\n\r\n' | nc localhost 8000

Impact

See this CVE in HAProxy, which describes a very similar issue. When Mongoose is used to implement a proxy, this behavior should be a cause for similar concern.

Proposed Solution:

Make the HTTP parser fail when it encounters a header with an empty name, as is suggested by the RFCs.

Versions

Mongoose 7.10, Linux/musl

Note

You requested that we make this a public GitHub issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scaprile scaprile

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix header truncation cesanta/mongoose
2 participants
@scaprile @kenballus