Closed
Description
The net/http
server improperly strips CRs surrounding the Transfer-Encoding
header value, treating "Transfer-Encoding: \rchunked"
as indicating a chunked body.
For example, this request is interpreted as containing the body a
.
echo -ne "POST /post HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: \rchunked\r\n\r\n1\r\na\r\n0\r\n\r\n" | nc localhost 8080
This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.
Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.
Metadata
Metadata
Assignees
Type
Projects
Status
Done