search

apache / trafficserver

Apache Traffic Serverâ„¢ is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.
https://trafficserver.apache.org/
Apache License 2.0
1.74k stars 782 forks source link

ATS forwards invalid header names #10459

Open kenballus opened 9 months ago

kenballus commented 9 months ago

ATS accepts and forwards header names containing the following characters, all of which RFC 9110 does not permit in header names: \t, `,",(,),,,/,;,<,=,>,?,@,[,\,],{,}, and the entire range from\x80to\xff`.

Of particular note is that ATS forwards \x85 and \xa0, because these characters are stripped by python's str.strip, and are therefore stripped from headers in a certain buggy HTTP server of which I am aware. This is essentially the same issue as the one fixed by https://github.com/apache/trafficserver/pull/3192, but affects only servers that treat \x85 and \xa0 as whitespace.

kenballus commented 7 months ago

This is usable for request smuggling when ATS is in front of Gunicorn.