Gateway not specification compliant for invalid headers #637

Closed
a-zuckut opened this Issue Jul 18, 2016 · 3 comments

Projects

None yet

4 participants

@a-zuckut
Contributor

According to RFC7230:

No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.

Error in test serverMustRejectHeaderWithSpaceBetweenHeaderNameAndColon.

@dpwspoon dpwspoon added the bug label Jul 20, 2016
@dpwspoon
Member
dpwspoon commented Jul 20, 2016 edited

Links to related tests: #644

@sbadugu sbadugu added the luxoft label Jul 20, 2016
@sbadugu sbadugu modified the milestone: S15 - 16 Jul 20, 2016
@sbadugu sbadugu added this to the S15 - 16 milestone Jul 21, 2016
@DoruM DoruM was assigned by sbadugu Jul 21, 2016
@DoruM
Contributor
DoruM commented Jul 25, 2016

Hello,

The bug is valid, but the IT testing it is wrong. Additionally, the K3PO script testing it is wrong.

The error in the K3PO script is corrected in this PR.

The test serverMustRejectHeaderWithSpaceBetweenHeaderNameAndColon is wrong because it actually defines the behaviour that the acceptor should have, upon that particular request. So the acceptor is made to send back "HTTP 400", at this line.

So actually, after fixing the K3PO script (in the PR above), the test passes, but in reality the gateway does accept headers like "Invalid: header". So I do believe the test is actually wrong.

Kindest regards,
Doru

@a-zuckut , @dpwspoon

@DoruM
Contributor
DoruM commented Jul 25, 2016 edited

This issue is solved in this PR.
This PR doesn't contain unit tests or the merges from #644 since the unit tests are incorrect. I have mentioned in that pull request how they are incorrect. They were however tested, but the tests were not committed.

The PR referenced above should also be merged in kaazing/k3po.

@a-zuckut a-zuckut closed this Aug 1, 2016
@robinzimmermann robinzimmermann changed the title from Gateway Not Specification Compliant to Invalid Headers to Gateway not specification compliant for invalid headers Sep 21, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment