search

graygnuorg / pound

Light-weight reverse proxy, load balancer and HTTPS front-end for Web servers.
GNU General Public License v3.0
43 stars 13 forks source link

Pound forwards requests with invalid whitespace around chunk sizes #20

Closed kenballus closed 10 months ago

kenballus commented 11 months ago

RFC 9112 defines a chunked message body with the following ABNF rules:

  chunked-body   = *chunk
                   last-chunk
                   trailer-section
                   CRLF

  chunk          = chunk-size [ chunk-ext ] CRLF
                   chunk-data CRLF
  chunk-size     = 1*HEXDIG
  last-chunk     = 1*("0") [ chunk-ext ] CRLF

  chunk-data     = 1*OCTET ; a sequence of chunk-size octets

Note that no whitespace is permitted preceding a chunk-size. Pound accepts and forwards whitespace before chunk-sizes.

For example, when I send the following invalid request to my Pound reverse proxy:

POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
\t0\r\n
\r\n'

here's what it forwards to its backend:

POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
X-Forwarded-For: 172.18.0.1\r\n
X-Forwarded-Proto: http\r\n
X-Forwarded-Port: 80\r\n
\r\n
\t0\r\n
\r\n

Note that the \t before the 0 chunk size is preserved through the proxy.

graygnuorg commented 10 months ago

Fixed in commit 3870135280