uhttpd incorrectly accepts empty header names.

openwrt / uhttpd

[MIRROR] Tiny HTTP server

https://git.openwrt.org/?p=project/uhttpd.git;

10 stars 6 forks source link

uhttpd incorrectly accepts empty header names. #5

Open kenballus opened 4 months ago

kenballus commented 4 months ago

uhttpd accepts requests with empty header names. These are invalid according to the RFCs.

For example, uhttpd will accept the following request:

GET / HTTP/1.1\r\n
:\r\n
\r\n

stokito commented 4 months ago

IMHO it's not critical and from security perspective nothing bad should happen. According to a Postel Law we should accept this.

kenballus commented 4 months ago

The potential security problem is that some reverse proxies treat \r\n:\r\n as equivalent to \r\n\r\n (i.e., the end-of-headers sequence), but forward it as-is. This allows for request smuggling when used with a server that allows empty header names, like uhttpd.

Other web servers (e.g. Nginx, Apache) don't allow empty header names, so clients don't produce them, so no compatibility is lost. The RFCs are pretty clear that header names must be nonempty.

stokito commented 4 months ago

Thank you for the explanation.