Newlines in HTTP request method results in the injection of HTTP headers in requests #8947
Comments
This issue was tracked down with the help of fin1te (https://github.com/fin1te) |
I can confirm this but the syntax appears to be a bit off above... Verified by using There would be a slight performance hit to consider, but checking the options.method against |
Per nodejs#8947 . * Check that the passed in method conforms to the token rule. * If the specified method does not conform, throw. Likely would be a good idea to check other bits this way also.
Thank you very much for reporting this issue. The best place to report an issue that could have any security impact on users is to send an email to |
Fortunately, security impact for this one ought to be fairly minimal. But definitely needs to be fixed. |
@jasnell Sorry about that. I couldn't find an appropriate reporting page, the security impact seemed relatively minimal except in a very unusual use case we hit, and the issue on HTTP header injection was in the archives. |
Add a check to make sure that the specified HTTP method is a valid token per the spec. To do so, we look at the method string and check that each character is valid per the token rule. The first violation aborts the check and throws. This check is necessary to avoid malicious http request header injection. per nodejs#8947
This has been fixed in master as of nodejs/node@6192c98. @jasnell is this something you'd like to see backported to 0.10 or 0.12? |
Yes. To v0.12 at least.
|
The http request method does not have any validation applied to it before constructing the first line of an HTTP request (https://github.com/joyent/node/blob/master/lib/_http_client.js#L129). A carefully constructed method, such as
GET / HTTP/1.1\r\nX-Foobar: Bazbang\r\nX-Discard:
if passed to
http.request(method, '/intendedpath')
would result in an HTTP request like:The forced uppercasing that occurs at https://github.com/joyent/node/blob/master/lib/_http_client.js#L89 can be bypassed by URL encoding the method.
Security impact occurs when a server constructs and submits HTTP requests from client provided data.
HTTP request methods are limited in the HTTP/1.0 and 1.1 RFCs to
token
, which is defined as:Header injection within headers themselves is accounted for at:
https://github.com/joyent/node/blob/master/lib/_http_outgoing.js#L296-L297
The text was updated successfully, but these errors were encountered: