Skip to content

http request smuggling, cause by obfuscating TE header #9571

Closed
@axeBig

Description

@axeBig

Expected behavior

ignore obfuscating TE header("Transfer-Encoding : chunked" vs "Transfer-Encoding: chunked")

Actual behavior

use Transfer-Encoding[space] as Transfer-Encoding

Steps to reproduce

1、topology: client→elb→nettyServer
2、client send a request with both content-length and trunked-encoded[space]
3、elb ignored trunked-encoded[space], but use content-length
4、netty use trunked-encoded[space]

Minimal yet complete reproducer code (or URL to code)

when header field end with space but not colon, shoud the space be ignored?
can not found proof in https://greenbytes.de/tech/webdav/rfc7230.html#header.fields.

code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader

for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
            char ch = sb.charAt(nameEnd);
            if (ch == ':' || Character.isWhitespace(ch)) {
                break;
            }
 }

Netty version

all

JVM version (e.g. java -version)

OS version (e.g. uname -a)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions