Skip to content

[io] http: improper handling of invalid Transfer-Encodings #60481

New issue
New issue
Open
Open
[io] http: improper handling of invalid Transfer-Encodings#60481
Assignees
brianquinlan
Labels
area-vmUse area-vm for VM related issues, including code coverage, and the AOT and JIT backends.library-iotriagedIssue has been triaged by sub team
@kenballus

Description

@kenballus
kenballus
opened on Apr 4, 2025
dart info

#### General info

- Dart 3.8.0-edge.f07915cb6e9da7efd5ad66a81d597ec5fa595440 (main) (Wed Mar 26 14:08:23 2025 -0700) on "linux_x64"
- on linux / Linux 6.12.21-1-lts #1 SMP PREEMPT_DYNAMIC Sat, 29 Mar 2025 06:39:46 +0000
- locale is en_US

#### Process info

| Memory |  CPU | Elapsed time | Command line     |
| -----: | ---: | -----------: | ---------------- |
| 120 MB | 0.2% |        09:46 | dart server.dart |

Bug 1: Dart does not recognize the ",chunked" transfer-coding.

RFC 9112 defines the acceptable values of a Transfer-Encoding header as follows:

Transfer-Encoding = #transfer-coding

The meaning of the "#" symbol is given in RFC 9110, section 5.6.1:

A construct "#" is defined, similar to "*", for defining comma-delimited lists of elements. The full form is "#element" indicating at least and at most elements, each separated by a single comma (",") and optional whitespace (OWS, defined in Section 5.6.3).

Thus, a Transfer-Encoding header value consists of 0 or more comma-separated transfer-codings. (A transfer-coding is just a token with an optional trailing parameter. By far the most widely-used transfer-coding is "chunked".)

RFC 9110, section 5.6.1.2 goes on to state the following:

A recipient MUST parse and ignore a reasonable number of empty list elements: enough to handle common mistakes by senders that merge values, but not so much that they could be used as a denial-of-service mechanism.

Therefore, a recipient of a message with a "Transfer-Encoding: ,chunked" header must ignore the leading "," and treat the header equivalently to "Transfer-Encoding: chunked".

The HTTP parser in the Dart standard library does not do this. Instead, it treats ",chunked" as a distinct transfer-coding from "chunked".

Bug 2: Dart ignores unrecognized transfer-codings.

From RFC 9112:

A server that receives a request message with a transfer coding it does not understand SHOULD respond with 501 (Not Implemented).

The HTTP parser in the Dart standard library does not do this. Instead, it treats messages with unrecognized transfer-codings as though they have no message bodies.

These bugs can be used for request smuggling when the Dart stdlib HTTP implementation is used as a server behind certain load balancers.

Metadata

Metadata

Assignees

Labels

area-vmUse area-vm for VM related issues, including code coverage, and the AOT and JIT backends.library-iotriagedIssue has been triaged by sub team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions