Skip to content

Netty shouldn't allow the invalid fold. #9866

Closed
@ZeddYu

Description

@ZeddYu

Expected behavior

Netty shouldn't allow the invalid fold. According to RFC7230, https://tools.ietf.org/html/rfc7230#section-3.2.

header-field   = field-name ":" OWS field-value OWS

     field-name     = token
     field-value    = *( field-content / obs-fold )
     field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
     field-vchar    = VCHAR / obs-text

     obs-fold       = CRLF 1*( SP / HTAB )
                    ; obsolete line folding
                    ; see Section 3.2.4

A Sp or HTAB should follow the CRLF. But Netty allow a CRLF without a SP or HTAB.
2019-12-10下午7 58 09

Actual behavior

Netty accept invalid fold. This may casue http smuggling.

Steps to reproduce

Send a request like this:

POST / HTTP/1.1
Host: example.com
Connection: close
Content-Length: 5
Content-Length:
6

0

Minimal yet complete reproducer code (or URL to code)

Netty version

all

JVM version (e.g. java -version)

java version "1.8.0_181"

OS version (e.g. uname -a)

Darwin ZedddeMacBook-Pro.local 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions