Closed zinid closed 1 year ago
Cowboy! I think Cowlib crashing is fine, but Cowboy should catch the exceptions for the headers that it parses instead of erroring out noisely like this.
Okay, I will try to prepare a PR to the Cowboy
repository ASAP.
cowlib
parser crashes (due tofunction_clause
) on malformed values ofConnection
header. This typically looks like:The problem has recently worsened due to appearance of log4j exploits (CVE-2021-44228). For example, we get around 30k related
cowboy
crashes per week, so this is not a cosmetic issue anymore, as it creates burden for the OPS team. Another complication is that this malformed value can be put by the exploiting script into any header, so it seems like not onlyConnection
header is affected: as explained in the vulnerability description, it can be put intoUser-Agent
,Authorization
and so on.Can this somehow be resolved?
P.S. I'm not quite sure whether this problem relates to
cowlib
orcowboy
. Sorry if I opened the ticket in a wrong repository.