Re: Bare CR in header fields
Willy Tarreau <w@1wt.eu> Thu, 21 January 2021 04:07 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA4E3A172D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Jan 2021 20:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.673
X-Spam-Level:
X-Spam-Status: No, score=-2.673 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeczo9-AQQdm for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Jan 2021 20:07:57 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A0073A172C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 20 Jan 2021 20:07:56 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1l2RDj-0000e6-EI for ietf-http-wg-dist@listhub.w3.org; Thu, 21 Jan 2021 04:05:19 +0000
Resent-Date: Thu, 21 Jan 2021 04:05:19 +0000
Resent-Message-Id: <E1l2RDj-0000e6-EI@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <w@1wt.eu>) id 1l2RDh-0000dE-Fa for ietf-http-wg@listhub.w3.org; Thu, 21 Jan 2021 04:05:18 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by titan.w3.org with esmtp (Exim 4.92) (envelope-from <w@1wt.eu>) id 1l2RDf-0003Nu-Ex for ietf-http-wg@w3.org; Thu, 21 Jan 2021 04:05:17 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 10L451gZ023311; Thu, 21 Jan 2021 05:05:01 +0100
Date: Thu, 21 Jan 2021 05:05:01 +0100
From: Willy Tarreau <w@1wt.eu>
To: Cory Benfield <cory@lukasa.co.uk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20210121040501.GA23303@1wt.eu>
References: <CAH_hAJGP+W3qY42jEJ10g=LyR=SbxOs+UT5KK8u737paj8SgNA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAH_hAJGP+W3qY42jEJ10g=LyR=SbxOs+UT5KK8u737paj8SgNA@mail.gmail.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1l2RDf-0003Nu-Ex f5f0edbfaf478193bb0e948010563b5d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Bare CR in header fields
Archived-At: <https://www.w3.org/mid/20210121040501.GA23303@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38384
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Cory, On Wed, Jan 20, 2021 at 09:06:16PM +0000, Cory Benfield wrote: > In particular, I'll note that Roy said, a year and a half ago, "If > some browsers interpret CR as a line delimiter in HTTP protocol fields > (other than payload content), they have security holes that should be > fixed." Is that the position of this working group? To be honest, that was my immediate thinking when I've read your scary story about browsers taking them as field terminators! It indeed means that it's likely possible to send them such responses and expect some content smuggling over persistent connections: HTTP/1.1 200 OK Content-length: 10000 X-foo: blah\rTransfer-encoding: chunked 0\r\n HTTP/1.1 200 OK Content-length: 9900 This is the content non-compliant clients will take as the response for the second request. This could for example be used to inject malicious code bypassing client-side anti-malware solutions, so it should not be taken lightly. > Who is > coordinating with these implementations to address that security hole? That's unclear, as I think that all major implementations were represented when this spec was written. However it's certain that it's not always trivial for an implementation to spot issues that affect them in so detailed a spec. It's also possible that some of these decided to still support that behavior for various reasons and to apply special safety belts (e.g. no cache, no persistent connections, no cookies etc). Maybe the simplest would be to open a bug report in each of them's issue tracker. Even if they decide to close it, the justfication will remain there and accessible to anyone, should new threats pop up. Just my two cents, Willy
- Bare CR in header fields Cory Benfield
- Re: Bare CR in header fields Willy Tarreau
- Re: Bare CR in header fields Cory Benfield
- Re: Bare CR in header fields Willy Tarreau