Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tornado does not reject messages with BWS after field-name #2790

Open
ZeddYu opened this issue Dec 13, 2019 · 0 comments
Open

Tornado does not reject messages with BWS after field-name #2790

ZeddYu opened this issue Dec 13, 2019 · 0 comments
Labels
http1connection

Comments

@ZeddYu
Copy link

ZeddYu commented Dec 13, 2019
edited

RFC 7230: server MUST reject messages with BWS after field-name (#445)
Obey the RFC requirement to reject HTTP requests with whitespace
between field-name and the colon delimiter. Rejection is
critical in the presence of broken HTTP agents that mishandle
malformed messages.

If not, it will be used to smuggle http request.

Test code:

import tornado.ioloop
import tornado.web

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write("Hello, world")
    
    def post(self):
        data = self.request.body
        self.write(str(data))

def make_app():
    return tornado.web.Application([
        (r"/", MainHandler),
    ])

if __name__ == "__main__":
    app = make_app()
    app.listen(8000)
    tornado.ioloop.IOLoop.current().start()

Test script:

printf 'POST / HTTP/1.1\r\n'\
'Host:localhost\r\n'\
'Content-length : 5\r\n'\
'Connection: close\r\n'\
'\r\n'\
'a=3\r\n'\
'\r\n'\
| nc -w 1 127.0.0.1 8000

Expected behavior:
return 400

Actual behavior:
return 200

Version:
tornado 6.0.3
python 3.7.5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
http1connection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bdarnell @ZeddYu