search

drogonframework / drogon

Drogon: A C++14/17/20 based HTTP web application framework running on Linux/macOS/Unix/Windows
MIT License
11.62k stars 1.12k forks source link

Drogon server crashes, if client sends cookie with characters in range 128-254 #1666

Closed VladlenPopolitov closed 1 year ago

VladlenPopolitov commented 1 year ago

Describe the bug The bug is observed in Windows, MS Visual Studio 17.6.4, drogon compiled as 64 bit executable. Dragon server crashes on the stage of request header processing before passing execution to controllers. If server client (browser) sends cookie with characters 128-254, dragon crashes due to assertion check in C++ standard library (in Debug mode), in Release mode without assert the behaviour is undefined. Crash appears especially if last character in cookie is in range 128-254 - crash during the trimming of 'isspace' characters at the end of the cookie value. The reason of the bug - the std:isspace function is called in wrong way. Character must be send as unsigned char: The behavior is undefined if the value of ch is not representable as unsigned char and is not equal to EOF To use these functions safely with plain chars (or signed chars), the argument should first be converted to unsigned char: bool my_isspace(char ch) { return std::isspace(static_cast < unsigned char > (ch)); }

To Reproduce Steps to reproduce the behavior:

  1. Go to dragon examples, to helloworld 2. Add cookie (to emulate the sending of the cookies by browser) to / controller in main.cc @@ -11,6 +11,12 @@ int main() [](const HttpRequestPtr &, std::function<void(const HttpResponsePtr &)> &&callback) { auto resp = HttpResponse::newHttpResponse();
    • drogon::Cookie lang("language", "你好");
    • lang.setPath("/");
    • lang.setExpiresDate(
    • trantor::Date::now().after(3600 24 365 * 10));
    • resp->addCookie(lang);
    •  resp->setBody("Hello, World!");
 callback(resp);

      },

  2. Build and run in debug mode
  3. Access dragon from any browser - dragon crashes with assertion in std::isspace function. In release mode the behaviour undefined.

Expected behavior all call of std::isspace() must be changed to std::isspace(static_cast < unsigned char > (ch)) Screenshots Crash message: Expression: c>=-1 && c<=255

Desktop (please complete the following information):

risicle commented 1 year ago

This (or a closely related issue) appear to have been assigned CVE-2023-26137

https://nvd.nist.gov/vuln/detail/CVE-2023-26137

VladlenPopolitov commented 1 year ago

This issue was fixed in trantor library some time ago.