Open annevk opened 8 years ago
annevk
commented
8 years ago Note that ideally this is defined at the HTTP level since it's basically a change in header parsing. (And the only way to implement this kind of thing at the application layer is if any header combining is left to the application.)
mnot
commented
8 years ago From http://httpwg.org/specs/rfc7230.html#header.content-length -
If a message is received that has multiple Content-Length header fields with field-values consisting of the same decimal value, or a single Content-Length header field with a field value containing a list of identical decimal values (e.g., "Content-Length: 42, 42"), indicating that duplicate Content-Length header fields have been generated or combined by an upstream message processor, then the recipient MUST either reject the message as invalid or replace the duplicated field-values with a single valid Content-Length field containing that decimal value prior to determining the message body length or forwarding the message.
http://httpwg.org/specs/rfc7231.html#header.location doesn't have any relevant text; should probably raise a bug in https://github.com/httpwg/http11bis/issues .
What's the attack scenario for Content-Location?
annevk
commented
6 years ago Created https://github.com/w3c/web-platform-tests/pull/10548 (tests) and https://github.com/httpwg/http-core/issues/59 (HTTP update) for Content-Length. More test suggestions welcome.
annevk
commented
6 years ago What's the attack scenario for Content-Location?
FWIW, I'm not sure, is that even implemented (client-side)?
Firefox has some logic to prevent CRLF header injection attacks for Location, Content-Length, and Content-Disposition headers.
Search for "IsSuspectDuplicateHeader" in http://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHeaderArray.h http://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHeaderArray.cpp
I'm not entirely sure whether to standardize this since other implementations seem to have different behavior, but it does seem nice as defense-in-depth.
Note that Firefox' behavior also affects what can be observed in the API as the duplicate headers with equal values are silently dropped and therefore not exposed.