New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Transfer-Encoding handling #702
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found one bug and two serious concerns. The rest is simple polishing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for addressing my previous concerns. I have only two minor nits left for now. Will wait for PR 701 going in so that its XXX can be addressed as well.
And an HttpHeader::chunked() change. |
9ae7183
to
2534dd4
Compare
Reject messages containing Transfer-Encoding header with coding other than chunked or identity. They are the only codings Squid supports. RFC 7230 formally deprecated and removed identity coding but it is known to still be used by some agents. This also bans messages where Transfer-Encoding contains sequences of coding which are technically benign (eg 'identity, chunked') but expected never to happen.
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
* update documentation to clarify the multiple things it indicates (for now). * Add missing clean() and copy() logic.
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
9ae7183
to
2941c05
Compare
Latest jenkins build failed on commit hash not being found; next commit will fix it |
I pushed a trivial change (commit 7439beb) in hope to fix Jenkins. |
Thank you for addressing my primary concerns.
Reject messages containing Transfer-Encoding header with coding other than chunked or identity. Squid does not support other codings. For simplicity and security sake, also reject messages where Transfer-Encoding contains unnecessary complex values that are technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or "identity, chunked"). RFC 7230 formally deprecated and removed identity coding, but it is still used by some agents.
Reject messages containing Transfer-Encoding header with coding other than chunked or identity. Squid does not support other codings. For simplicity and security sake, also reject messages where Transfer-Encoding contains unnecessary complex values that are technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or "identity, chunked"). RFC 7230 formally deprecated and removed identity coding, but it is still used by some agents.
Reject messages containing Transfer-Encoding header with coding other than chunked or identity. Squid does not support other codings. For simplicity and security sake, also reject messages where Transfer-Encoding contains unnecessary complex values that are technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or "identity, chunked"). RFC 7230 formally deprecated and removed identity coding, but it is still used by some agents.
Reject messages containing Transfer-Encoding header with coding other than chunked or identity. Squid does not support other codings. For simplicity and security sake, also reject messages where Transfer-Encoding contains unnecessary complex values that are technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or "identity, chunked"). RFC 7230 formally deprecated and removed identity coding, but it is still used by some agents.
Reject messages containing Transfer-Encoding header with coding other than chunked or identity. Squid does not support other codings. For simplicity and security sake, also reject messages where Transfer-Encoding contains unnecessary complex values that are technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or "identity, chunked"). RFC 7230 formally deprecated and removed identity coding, but it is still used by some agents.
FTR, Squid's strict handling of Transfer-Encoding values rejects the following (slightly abridged) server responses containing two
The above response header can be interpreted as a violation of the following RFC 7230 MUST-level rquirement:
FWIW, at this time, Factory does not plan to change Squid to treat such messages specially -- they will be rejected to mitigate HTTP framing-related attacks. However, if this and similar problems become too frequent, we will need to do more to improve compatibility. For now, let's just collect information about these use cases. |
It is definitively a violation. If chunked was applied twice that is forbidden. The header is a list header - this input means explicitly that chunked was applied twice. Whether or not it was actually applied twice the sender is not performing HTTP sufficiently well to trust its message framing. |
FTR, I am updating the list of known real-world benign cases that Squid (correctly!) rejects as of this PR:
The above were seen on various secondary legitimate servers, including servers that belong to well-known well-resourced companies, organizations, and governments around the world. The apparent "resilience" of these problems is consistent with 2014 client-side observations by Daniel Stenberg. I may update this comment as Squid admins continue to complain about these cases. |
Reject messages containing Transfer-Encoding header with coding other
than chunked or identity. Squid does not support other codings.
For simplicity and security sake, also reject messages where
Transfer-Encoding contains unnecessary complex values that are
technically equivalent to "chunked" or "identity" (e.g., ",,chunked" or
"identity, chunked").
RFC 7230 formally deprecated and removed identity coding, but it is
still used by some agents.