Kludex
commented
2 years ago I can't access any of those:
Fixes: https://hackerone.com/reports/1630336 Fixes: https://hackerone.com/reports/1665156 Fixes: https://hackerone.com/reports/1675191
Closed nlsj1985 closed 1 year ago
Kludex
commented
2 years ago I can't access any of those:
Fixes: https://hackerone.com/reports/1630336 Fixes: https://hackerone.com/reports/1665156 Fixes: https://hackerone.com/reports/1675191
nlsj1985
commented
2 years ago Yeah, sorry I thought one could read the hackerone reports after registering, but they aren't public (i can't access them also).
The release/change notes where a bit fuzzy when i read them the first time. This patch is related to CVE-2022-32213 (medium): llhttp doesn't correctly handle Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). You can ignore the other numbers.
v6.0.10 fixes "bypass via obs-fold mechanic" it seems.
Kludex
commented
2 years ago Thanks 👍
And just to be sure, as I said on the uvicorn PR, we don't pin httptools version. We just bump the minimum version to force users to install versions that are not compromised. This means that if httptools bump the version, uvicorn users can already benefit from it.
nlsj1985
commented
2 years ago Thanks also!
Please bump httptools version. It seems that there was some parsing issue remaining with regard to the CVE's llhttp v6.0.10 changelog: http: disable chunked encoding when OBS fold is used
Fixes: https://hackerone.com/reports/1630336 Fixes: https://hackerone.com/reports/1665156 Fixes: https://hackerone.com/reports/1675191