search

kasmtech / KasmVNC

Modern VNC Server and client, web based and secure
GNU General Public License v2.0
2.62k stars 274 forks source link

Requests with long headers result in no response. #253

Open kroemeke opened 2 weeks ago

kroemeke commented 2 weeks ago

Describe the bug Larger requests are not processed correctly. I discovered this while setting up KasmVNC behind Cloudflare Access - which adds few long (but valid) headers (few Cookies or base64 encoded client certificate or JWT etc).

System Description Provide the output of 

root@1f621a4949d9:/# cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.19.1
PRETTY_NAME="Alpine Linux v3.19"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
root@1f621a4949d9:/# uname -a
Linux 1f621a4949d9 6.5.11-linuxkit #1 SMP PREEMPT Wed Dec  6 17:08:31 UTC 2023 aarch64 GNU/Linux
root@1f621a4949d9:/#

KasmVNC Details Provide the filename of the package you installed KasmVNC with. The filename includes important details like the OS, architecture, and commit sha.

Provide the output of this command.

root@1f621a4949d9:/# Xvnc -version

Xvnc KasmVNC 1.2.0 - built Mar 23 2024 18:46:06
Copyright (C) 1999-2018 KasmVNC Team and many others (see README.me)
See http://kasmweb.com for information on KasmVNC.
Underlying X server release 12014000, The X.Org Foundation

root@1f621a4949d9:/#

To Reproduce Working request:

root@1f621a4949d9:/# curl -D - -o /dev/null http://localhost:6901/ -s  curl -H "Cookie: $(printf 'A%.0s' {1..4000})"
HTTP/1.1 200 OK
Server: KasmVNC/4.0
Connection: close
Content-type: text/html
Content-length: 23943
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
root@1f621a4949d9:/#

Broken request (few bytes more):

root@1f621a4949d9:/# curl -D - -o /dev/null http://localhost:6901/ -s  curl -H "Cookie: $(printf 'A%.0s' {1..4096})"
root@1f621a4949d9:/#

Expected behavior KasmVNC continues to work with larger client requests.

Additional context This doesn't seem to be the limit of individual header size, but rather a total client request size. It is possible to trigger this behaviour via multiple smaller headers. I believe the limit may come from https://raw.githubusercontent.com/kasmtech/KasmVNC/master/common/network/websocket.c

clbr commented 2 weeks ago

Confirmed. We're adding better logging and increasing the allowed request size. Very large headers are usually attacks instead of valid users, but Cloudflare cookies do seem large.