Vendored llhttp 8.1.1 is vulnerable

MagicStack / httptools

Fast HTTP parser

MIT License

1.21k stars 83 forks source link

Vendored llhttp 8.1.1 is vulnerable #111

Closed mgorny closed 1 month ago

mgorny commented 1 month ago

httptools is currently vendoring llhttp 8.1.1 which is vulnerable to CVE-2024-27982.

mgorny commented 1 month ago

And after upgrading to 8.1.2, I'm seeing failures, because it no longer accepts multiline headers. FWICS, it may be possible to avoid this by using llhttp_set_lenient_headers(), but I guess that reintroduces the vulnerability. Alternatively, the tests could be updated not to rely on that anymore but I don't know if that's going to break consumers or not.

elprans commented 1 month ago

Yeah, I went with the latter approach in #113, though maybe httptools should expose the lenient_headers opt-in in case people rely on it.

elprans commented 1 month ago

Alright, I rerolled #113 with leniency flags exposed.

mgorny commented 1 month ago

Thanks!