Pound forwards chunk sizes prefixed with `0x`, `-`, and `+`

graygnuorg / pound

Light-weight reverse proxy, load balancer and HTTPS front-end for Web servers.

GNU General Public License v3.0

43 stars 13 forks source link

Pound forwards chunk sizes prefixed with `0x`, `-`, and `+` #19

Closed kenballus closed 11 months ago

kenballus commented 11 months ago

Because Pound parses chunk sizes using strtoll(, , 16), chunk sizes that begin with 0x are erroneously accepted and forwarded. - and + prefixes are also accepted for the same reason, though - is only accepted when the chunk size is 0. This is not permitted in the HTTP RFCs, and can lead to problems for downstream servers because some servers interpret chunk sizes that begin with 0x as equivalent to 0. This can be used for request smuggling against such servers.

graygnuorg commented 11 months ago

Thanks for reporting. Fixed by 60a4f42b2a1f901aec9746cde56c2f19a4a1a332 and f70db92c126fffaab62b1f003413d8bdd93e45b0.