Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Transfer-Encoding handling #702

Closed
wants to merge 12 commits into from
Closed

Improve Transfer-Encoding handling #702

wants to merge 12 commits into from

Conversation

yadij
Copy link
Contributor

@yadij yadij commented Jul 31, 2020
edited by rousskov

Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.

For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").

RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.

@yadij yadij added the review-1 label Jul 31, 2020
@rousskov rousskov self-requested a review July 31, 2020 18:29
rousskov
rousskov requested changes Jul 31, 2020
View reviewed changes
Copy link
Contributor

@rousskov rousskov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found one bug and two serious concerns. The rest is simple polishing.

src/HttpHeader.cc Show resolved Hide resolved
src/client_side.cc Outdated Show resolved Hide resolved
src/client_side.cc Outdated Show resolved Hide resolved
src/HttpHeader.h Outdated Show resolved Hide resolved
src/HttpHeader.h Outdated Show resolved Hide resolved
src/HttpHeader.h Show resolved Hide resolved
@rousskov rousskov mentioned this pull request Jul 31, 2020
Closed
@yadij yadij added the S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box label Aug 2, 2020
@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Aug 3, 2020
@yadij yadij added S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box and removed S-waiting-for-author author action is expected (and usually required) labels Aug 4, 2020
rousskov
rousskov previously requested changes Aug 4, 2020
View reviewed changes
Copy link
Contributor

@rousskov rousskov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for addressing my previous concerns. I have only two minor nits left for now. Will wait for PR 701 going in so that its XXX can be addressed as well.

src/HttpHeader.cc Outdated Show resolved Hide resolved
src/HttpHeader.h Outdated Show resolved Hide resolved
src/HttpHeader.cc Outdated Show resolved Hide resolved
@rousskov
Copy link
Contributor

rousskov commented Aug 4, 2020

I have only two minor nits left for now.

And an HttpHeader::chunked() change.

@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Aug 4, 2020
@yadij yadij force-pushed the cleanup-transfer-encoding branch 2 times, most recently from 9ae7183 to 2534dd4 Compare August 7, 2020 04:14
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Aug 8, 2020
yadij and others added 7 commits August 9, 2020 23:10
@yadij
Improve Transfer-Encoding handling
0e3dc9c 
Reject messages containing Transfer-Encoding header with coding
other than chunked or identity. They are the only codings Squid
supports.

RFC 7230 formally deprecated and removed identity coding but
it is known to still be used by some agents.

This also bans messages where Transfer-Encoding contains sequences
of coding which are technically benign (eg 'identity, chunked')
but expected never to happen.
@yadij
Note that prohibitedAndIgnored() includes Trailers case
91da67b
@yadij @rousskov
Update src/client_side.cc
252e447 
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
@yadij
Revert some changes on audit request
e2dac33
@yadij
Polish teUnsupported_ flag
8f4e294 
* update documentation to clarify the multiple things it indicates (for now).

* Add missing clean() and copy() logic.
@yadij @rousskov
Update src/HttpHeader.cc
c9cd7e1 
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
@yadij
Update HttpHeader.cc
2941c05
@yadij yadij force-pushed the cleanup-transfer-encoding branch from 9ae7183 to 2941c05 Compare August 9, 2020 11:14
@yadij yadij added S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box and removed S-waiting-for-author author action is expected (and usually required) labels Aug 9, 2020
@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Aug 13, 2020
@yadij yadij added the S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box label Aug 14, 2020
@kinkie
Copy link
Contributor

kinkie commented Aug 14, 2020

Latest jenkins build failed on commit hash not being found; next commit will fix it

@rousskov
Copy link
Contributor

Latest jenkins build failed on commit hash not being found; next commit will fix it

I pushed a trivial change (commit 7439beb) in hope to fix Jenkins.

@rousskov rousskov dismissed their stale review August 14, 2020 15:27

Thank you for addressing my primary concerns.

@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Aug 14, 2020
@yadij yadij added M-cleared-for-merge https://github.com/measurement-factory/anubis#pull-request-labels and removed S-waiting-for-author author action is expected (and usually required) review-1 labels Aug 16, 2020
squid-anubis pushed a commit that referenced this pull request Aug 16, 2020
@yadij @squid-anubis
Improve Transfer-Encoding handling (#702)
f6dd87e 
Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.

For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").

RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.
@squid-anubis squid-anubis added M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels M-failed-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels and removed M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels labels Aug 16, 2020
@squid-anubis squid-anubis added M-merged https://github.com/measurement-factory/anubis#pull-request-labels and removed M-cleared-for-merge https://github.com/measurement-factory/anubis#pull-request-labels M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels labels Aug 16, 2020
squidadm pushed a commit to squidadm/squid that referenced this pull request Aug 17, 2020
@yadij @squidadm
Improve Transfer-Encoding handling (squid-cache#702)
7a4df18 
Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.

For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").

RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.
yadij added a commit that referenced this pull request Aug 18, 2020
@yadij
Improve Transfer-Encoding handling (#702)
f95f103 
Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.

For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").

RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.
squidadm pushed a commit to squidadm/squid that referenced this pull request Aug 18, 2020
@yadij @squidadm
Improve Transfer-Encoding handling (squid-cache#702)
4b68904 
Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.

For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").

RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.
yadij added a commit that referenced this pull request Aug 18, 2020
@yadij
Improve Transfer-Encoding handling (#702)
fd68382 
Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.

For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").

RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.
@yadij yadij deleted the cleanup-transfer-encoding branch September 16, 2020 12:43
@rousskov rousskov mentioned this pull request Sep 24, 2020
Open
@rousskov rousskov removed the M-failed-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels label Sep 25, 2020
@rousskov
Copy link
Contributor

rousskov commented Sep 25, 2020
edited

FTR, Squid's strict handling of Transfer-Encoding values rejects the following (slightly abridged) server responses containing two Transfer-Encoding: chunked header fields:

HTTP/1.1 200 OK
Date: Thu, 24 Sep 2020 11:56:13 GMT
Server: JBoss-EAP/7
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
X-Powered-By: Undertow/1
X-Powered-By: JSP/2.3
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Cache-Control: no-cache
Content-Encoding: gzip
Transfer-Encoding: chunked

The above response header can be interpreted as a violation of the following RFC 7230 MUST-level rquirement: A sender MUST NOT apply chunked more than once to a message body (i.e., chunking an already chunked message is not allowed). The message body itself is probably not double-chunked, but I did not check, and it should not really matter.

55,2| HttpHeader.cc(489) parse: WARNING: unsupported Transfer-Encoding used by client: chunked, chunked

FWIW, at this time, Factory does not plan to change Squid to treat such messages specially -- they will be rejected to mitigate HTTP framing-related attacks. However, if this and similar problems become too frequent, we will need to do more to improve compatibility. For now, let's just collect information about these use cases.

@yadij
Copy link
Contributor Author

yadij commented Sep 25, 2020

The above response header can be interpreted as a violation of the following RFC 7230 MUST-level rquirement: A sender MUST NOT apply chunked more than once to a message body (i.e., chunking an already chunked message is not allowed). The message body itself is probably not double-chunked, but I did not check, and it should not really matter.

It is definitively a violation. If chunked was applied twice that is forbidden. The header is a list header - this input means explicitly that chunked was applied twice. Whether or not it was actually applied twice the sender is not performing HTTP sufficiently well to trust its message framing.

@rousskov
Copy link
Contributor

rousskov commented Jan 18, 2021
edited

FTR, I am updating the list of known real-world benign cases that Squid (correctly!) rejects as of this PR:

  1. WARNING: unsupported Transfer-Encoding used by client: chunked, chunked.
  2. WARNING: unsupported Transfer-Encoding used by client: gzip, chunked.
    Note: Only chunked transfer encoding was applied, no compression.
  3. WARNING: unsupported Transfer-Encoding used by client: Binary.
    Note: There was no actual transfer encoding applied. Known Content-Length.
  4. WARNING: unsupported Transfer-Encoding used by client:
    Note: There was no actual transfer encoding applied. The header value was empty.
  5. WARNING: Leading garbage or empty value in Content-Length[4]=null

The above were seen on various secondary legitimate servers, including servers that belong to well-known well-resourced companies, organizations, and governments around the world. The apparent "resilience" of these problems is consistent with 2014 client-side observations by Daniel Stenberg.

I may update this comment as Squid admins continue to complain about these cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rousskov rousskov rousskov left review comments

Assignees
No one assigned
Labels
M-merged https://github.com/measurement-factory/anubis#pull-request-labels
Projects
None yet
Milestone
No milestone
4 participants
@yadij @rousskov @kinkie @squid-anubis