Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-handling of accept-encoding header when the value does not conform to the specification #3466

Closed
geoand opened this issue Mar 31, 2017 · 1 comment
Assignees
Labels
bug Bug or defect security Issue with security impact
Milestone

Comments

@geoand
Copy link

geoand commented Mar 31, 2017

Greetings,

We have been successfully using Hapi.js (version 16.1.0 on Node 6.9.1 and Debian Jessie) in production for a while now.
Recently however we encountered strange entries in our logs. Specifically we started seeing a bunch of the following entries:

Error: Unknown encoding Error: Invalid accept-encoding header

After much digging we where able to reproduce the issue using the following curl command

POC and details removed by hapi contributor

It then seems like Hapi is using the Boom object as the actual encoding with ultimately makes the framework fail the following assertion (in lib/compression.js)

Hoek.assert(encoder !== undefined, `Unknown encoding ${encoding}`);

The end-result is that the client that initiated the (erroneous) request is left hanging, since the framework never responds.
Personally I don't care one bit about the client not receiving a response, however the fact that no response is produced results in various error logs in Internet-facing reverse proxies (in the form of timeouts).

I could create a PR that fixes this issue, but am hesitant to do so since I don't know what the behavior should be in this case.
Should the appropriate response be an HTTP 400 response, or something else (like using one of the correctly specified encodings)?
It seems to me however that the current (non-) handling of such erroneous requests is not the desired behavior.

Regards,
George

@geoand geoand changed the title Non-handling of accept-encoding header when the value does not conform to the regex Non-handling of accept-encoding header when the value does not conform to the spec-compliant regex Mar 31, 2017
@geoand geoand changed the title Non-handling of accept-encoding header when the value does not conform to the spec-compliant regex Non-handling of accept-encoding header when the value does not conform to the specification Mar 31, 2017
@hueniverse hueniverse self-assigned this Mar 31, 2017
@hueniverse hueniverse added the bug Bug or defect label Mar 31, 2017
@hueniverse hueniverse added this to the 16.1.1 milestone Mar 31, 2017
hueniverse added a commit that referenced this issue Mar 31, 2017
@geoand
Copy link
Author

geoand commented Apr 3, 2017

👍

@hueniverse hueniverse added the security Issue with security impact label Apr 9, 2017
@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Bug or defect security Issue with security impact
Projects
None yet
Development

No branches or pull requests

2 participants