You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The headers can be truncated in the example HTTP server by sending a header with no name.
Instruction to Reproduce
# Download and build the server
$ git clone https://github.com/cesanta/mongoose &&cd mongoose
# Start the server
$ make &
# Observe that the server times out because the Content-Length header is interpreted:
$ printf'GET / HTTP/1.1\r\nContent-Length: 1\r\n\r\n'| nc localhost 8000
# Observe that the server does not time out, because it stops interpreting headers after the empty header:
$ printf'GET / HTTP/1.1\r\n:\r\nContent-Length: 1\r\n\r\n'| nc localhost 8000
Impact
See this CVE in HAProxy, which describes a very similar issue. When Mongoose is used to implement a proxy, this behavior should be a cause for similar concern.
Proposed Solution:
Make the HTTP parser fail when it encounters a header with an empty name, as is suggested by the RFCs.
Versions
Mongoose 7.10, Linux/musl
Note
You requested that we make this a public GitHub issue.
The text was updated successfully, but these errors were encountered:
Description
The headers can be truncated in the example HTTP server by sending a header with no name.
Instruction to Reproduce
Impact
See this CVE in HAProxy, which describes a very similar issue. When Mongoose is used to implement a proxy, this behavior should be a cause for similar concern.
Proposed Solution:
Make the HTTP parser fail when it encounters a header with an empty name, as is suggested by the RFCs.
Versions
Mongoose 7.10, Linux/musl
Note
You requested that we make this a public GitHub issue.
The text was updated successfully, but these errors were encountered: