Skip to content

net/http: improper sanitization of Transfer-Encoding header #53188

Closed
@neild

Description

@neild

The net/http server improperly strips CRs surrounding the Transfer-Encoding header value, treating "Transfer-Encoding: \rchunked" as indicating a chunked body.

For example, this request is interpreted as containing the body a.

echo -ne "POST /post HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: \rchunked\r\n\r\n1\r\na\r\n0\r\n\r\n" | nc localhost 8080

This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    Status

    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions