Comment by mittensc
9 days ago
> It's not correct to attribute all bugs to carelessness
Sure, just the bugs in the link.
Content-Length+Transfer-Encoding should be bad request.
RFC is also not respected: "Proxies/gateways MUST remove any transfer-coding prior to forwarding a message via a"
Content-Lenght: \r\n7 is also a bad request.
Just those mean whoever wrote the parser didn't even bother read the RFC...
No parsing failure checks either...
That kind of person will mess up HTTP/2 as well.
It's not a protocol issue if you can't even be bothered to read the spec.
> The post makes the case that HTTP/2 is systematically less vulnerable than HTTP/1 to the kinds of vulnerabilities it's talking about.
Fair enough, I disagree with that conclusion. I'm really curious what kind of bugs the engineers above would add with HTTP/2, will be fun.
> Content-Length+Transfer-Encoding should be bad request.
Maybe it should be, but it isn't. In fact, all revisions of the HTTP/1.1 RFC have made it clear that if both headers are present, the receiver must treat it as the Content-Length header not being present. Not as an error.
RFC 2616 "If the message does include a non-identity transfer-coding, the Content-Length MUST be ignored."
RFC 7230 "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length"
RFC 9112 "... Transfer-Encoding is defined as overriding Content-Length, as opposed to them being mutually incompatible."
> RFC is also not respected: "Proxies/gateways MUST remove any transfer-coding prior to forwarding a message via a"
That's a spec mistake in the original RFC, corrected in later revisions. It would be an absurd requirement: if the input is chunked, the output must be chunked as well. If the sender is sending gzip and the receiver accepts it, what is gained from the proxy decompressing the stream only to immediately compress it?
> Content-Lenght: \r\n7 is also a bad request.
... I mean, yes, it would be a bad request. But the example in the article is "Content-Lenght: \r\n 7" which isn't invalid. It's a feature defined in RFC 2616 as folding. It was a bad idea and deprecated in later revisions, but that just means that a client should not send it. A server or proxy can either reject the message or undo the folding, they're just not allowed to pass them through unmodified.
At least in the Cloudflare case, if you look at the postmortem (https://blog.cloudflare.com/resolving-a-request-smuggling-vu...) and the commit that fixed the bug (https://github.com/cloudflare/pingora/commit/fda3317ec822678...), it's significantly more complicated than "they didn't read the RFC", and a conclusion that a diligent engineer would never ever make this kind of mistake does not seem justified.
I think the main point is that these sorts of parsing mistakes shouldn't be so easily exploitable and the problem is that the length is non trivial to parse, so if you mess up the parsing of that it escalates the security of a ton of other bugs.