Lwan truncates header lines on `\rX`, where `X` can be anything

[kenballus]

The bug

HTTP/1.1 header field lines must be terminated with either CRLF or bare LF. Lwan terminates header field lines with CR followed by anything. This is usable for request smuggling when Lwan is deployed behind a reverse proxy that forwards bare CR in header field lines.

For example, Lwan sees one request in the following payload, where it should either see two requests or reject the message:

POST / HTTP/1.1\r\n
Host: a\rX
Content-Length: 31\r\n
\r\n
GET /evil HTTP/1.1\r\n
Host: a\r\n
\r\n

What other servers do

Respond 400:

• AIOHTTP
• Apache httpd
• FastHTTP
• Go net/http
• H2O
• HAProxy
• Hyper
• Hypercorn
• Jetty
• Libevent
• Libsoup
• Lighttpd
• Nginx
• Node.js
• Passenger
• Puma
• Tomcat
• Unicorn
• Uvicorn
• Waitress
• WEBrick

See two requests:

• Cheroot
• Gunicorn
• LiteSpeed
• ServiceTalk
• Tornado
• Twisted
• OpenWrt uhttpd
• OpenBSD httpd

Close the connection without responding:

• Mongoose
• Netty

[lpereira]

Thanks for the bug report! It's a simple fix, and I'll send a patch this week.

[lpereira]

Fixed, thank you!