Strong Content-Type validation #901

krizhanovsky · 2018-02-04T16:13:45Z

Content-Type is important HTTP header with large security implication, so __parse_content_type() must be enhanced to check the RFC values for the header. Frang http_ct_vals limit must be moved to HTTP parser. BG algorithm must be used for multi-pattern matching. The multi-pattern matching must be done in generic way, so it depends on #732. Also consider its implementation in Linux kernel to be applicable for nftables (mainstream patch is appriciated).

We also should implemente Content-Type validation against resource type requested in URI, see CloudFlare's feature in AppSecCali 2019 - Cache Me If You Can: Messing with Web Caching

Also please update Web security and Frang Wikis and create a new functional test issue for the next milestone.

The text was updated successfully, but these errors were encountered:

krizhanovsky added enhancement security labels Feb 4, 2018

krizhanovsky added this to the 0.8 TDB v0.2 milestone Feb 4, 2018

krizhanovsky mentioned this issue Feb 9, 2018

Fast HTTP match #732

Open

krizhanovsky modified the milestones: 0.8 TDB v0.2, 0.10 Kernel-User Space Transport Mar 22, 2018

krizhanovsky mentioned this issue Mar 4, 2019

Blocking malformed request headers #1050

Closed

krizhanovsky modified the milestones: 1.4 TBD (Kernel-User Space Transport), 1.2 TBD Jan 3, 2022

krizhanovsky modified the milestones: 1.xx TBD, 1.x: TBD Apr 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strong Content-Type validation #901

Strong Content-Type validation #901

krizhanovsky commented Feb 4, 2018 •

edited

Loading

Strong Content-Type validation #901

Strong Content-Type validation #901

Comments

krizhanovsky commented Feb 4, 2018 • edited Loading

krizhanovsky commented Feb 4, 2018 •

edited

Loading