Tree

Tree:
9670bf50476facc89168fc73fdbff056fdc8a146
Date:
Message:
Error out on presence of Content-Length and Transfer-Encoding headers for GET, HEAD and other methods that should have no body. Ignoring the Content-Length header makes httpd vulnerable to HTTP request smuggling. A crafted GET request may embed an extra HTTP request which could bypass a proxy or WAF but then is handled by httpd. Remove the special case for TRACE and CONNECT in the Content-Length handling. Move those checks into the method switch at the end of the header parsing phase and by that also cover more methods including GET and HEAD. If either header is present simply abort the connection, nobody should send extra data along GET and HEAD requests. Add an an explicit HTTP_METHOD_TRACE case above the default case to indicated that we deliberately don't handle TRACE requests. This security vulnerability was found by Nicola Staller of SySS GmbH. With and OK rsadowski@ previous version also OK florian@
Makefilecommits | blame
config.ccommits | blame
control.ccommits | blame
css.h.incommits | blame
http.hcommits | blame
httpd.8commits | blame
httpd.ccommits | blame
httpd.conf.5commits | blame
httpd.hcommits | blame
js.h.incommits | blame
log.ccommits | blame
logger.ccommits | blame
parse.ycommits | blame
patterns.7commits | blame
patterns.ccommits | blame
patterns.hcommits | blame
proc.ccommits | blame
server.ccommits | blame
server_fcgi.ccommits | blame
server_file.ccommits | blame
server_http.ccommits | blame
toheader.sedcommits | blame