-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mongoose accepts requests containing multiple differing Content-Length headers. #2763
Comments
We won't fix this. If the client is broken, we can't help it. |
This isn't about broken clients; it's about broken gateways. If you accept requests with conflicting CL headers, then you don't know which one the gateway prioritizes. Therefore, the only correct thing to do is reject the message. If Mongoose continues to instead prioritize the last one arbitrarily, then Mongoose is rendered vulnerable to request smuggling when the gateway prioritized the first one, but forwarded both. I am aware of a few gateway servers that demonstrate this behavior. |
I believe Mongoose always chooses the first content-length. |
My mistake; I had it flipped in my head. (Of course, the same concerns still apply)
This exact same logic applies in the other direction, though. RFC 7230 says the following w.r.t this issue:
Thus, because Mongoose doesn't reject messages with multiple conflicting Ultimately, both parties that are at fault, so both should be fixed. The RFCs are pretty clear that these messages are invalid and must be rejected by any recipient, gateway or origin. |
@kenballus That makes sense, thank you - the only part I did not get is this:
I don't see how a developers of a gateway may see messages from Mongoose with multiple Content-Length. We are talking about inbound messages. Those which Mongoose should reject. So, how exactly gateway development sticks here? If there is an incoming message with multiple headers, it is not Mongoose-generated. Could you clarify please - maybe a simple case where Mongoose comes broken? |
You're saying that you don't need to add a check to reject messages with multiple CL headers because developers of gateways should ensure that they don't send messages containing multiple CL headers. The wrinkle in that argument is that developers of gateways can just as easily say that they don't need to add an extra check to ensure that outbound messages have <=1 CL value because it's the job of origin servers to reject all messages with multiple Content-Length values. This is circular. Both parties need to ensure that
|
I guess I'm not certain what you're asking here. As far as I'm concerned, "broken" is defined by the standards. Maybe we have different working definitions of "broken?" |
To see this for yourself,
Content-Length
headers, and observe that Mongoose does not reject the request, and prioritizes the first over the second:That Mongoose prioritizes the first over the second is clear from the fact that the server responds only once. If the values of the two CL headers are swapped, then it will respond twice. This is unexpected because messages with multiple differeng Content-Length headers are disallowed by the RFCs because of request smuggling concerns.
Ideally, the fix here would be to reject messages that contain multiple Content-Length headers. This is what most HTTP servers do.
Environment
The text was updated successfully, but these errors were encountered: