Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check trailers in body-less requests #2240

Open
krizhanovsky opened this issue Sep 12, 2024 · 0 comments
Open

Check trailers in body-less requests #2240

krizhanovsky opened this issue Sep 12, 2024 · 0 comments
Labels
good to start Start form this tasks if you're new in Tempesta FW low priority security
Milestone
1.0 - GA

Comments

@krizhanovsky
Copy link
Contributor

Motivation

We allow requests like:

GET / HTTP/1.1
Host: foo.com
Trailers: X-trailer
X-trailer: foo

It's unclear from RFC how to treat trailers in requests w/o body, so this may potentially open HTTP headers smuggling attack vector. It's also unclear why a client may send such requests. I don't remember any such attacks, so low priority.

Scope

We should drop such requests and increment a security counter. It seems Trailers header must be made special for quick check for the header and empty body.

Testing

Create an appropriate test to a task for the test.

Documentation

No documentation is required.
@krizhanovsky krizhanovsky added security low priority good to start Start form this tasks if you're new in Tempesta FW labels Sep 12, 2024
@krizhanovsky krizhanovsky added this to the 1.0 - GA milestone Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good to start Start form this tasks if you're new in Tempesta FW low priority security
Projects
None yet
Milestone
1.0 - GA
Development

No branches or pull requests
1 participant
@krizhanovsky