-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request Smuggling in WEBrick via bad chunk-size parsing #124
Comments
Reviewing RFC 9112 section 7.1 (https://datatracker.ietf.org/doc/html/rfc9112#section-7.1), I think the issue is webrick is interpreting diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
index 7a1686b..23d9b05 100644
--- a/lib/webrick/httprequest.rb
+++ b/lib/webrick/httprequest.rb
@@ -542,7 +542,7 @@ module WEBrick
def read_chunk_size(socket)
line = read_line(socket)
- if /^([0-9a-fA-F]+)(?:;(\S+))?/ =~ line
+ if /\A([0-9a-fA-F]+)(?:;(\S+=\S+))?\r\n\z/ =~ line
chunk_size = $1.hex
chunk_ext = $2
[ chunk_size, chunk_ext ] |
The value of a
So I think the patch should maybe be this: diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
index 7a1686b..23d9b05 100644
--- a/lib/webrick/httprequest.rb
+++ b/lib/webrick/httprequest.rb
@@ -542,7 +542,7 @@ module WEBrick
def read_chunk_size(socket)
line = read_line(socket)
- if /^([0-9a-fA-F]+)(?:;(\S+))?/ =~ line
+ if /\A([0-9a-fA-F]+)(?:;(\S+(?:=\S+)?))?\r\n\z/ =~ line
chunk_size = $1.hex
chunk_ext = $2
[ chunk_size, chunk_ext ] |
Also, I think the primary issue was with the missing |
Agreed. I'm not sure when I'll have time to work on a test for this, but your patch looks good. |
This fixes a request smuggling vulnerability (Fixes ruby#124). Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
@kenballus I submitted a pull request that uses your fix and adds a test: #125 |
This fixes a request smuggling vulnerability (Fixes #124). Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
When WEBrick receives a request containing an invalid chunk size, it is interpreted as its longest valid prefix. Thus, chunk sizes that begin with
0x
are treated as equivalent to0
.To see why this is a security problem, consider the following payload:
WEBrick sees it as a
POST
request for/
, followed by aGET
for/evil
:Unfortunately, some HTTP servers ignore
0x
prefixes in chunk sizes due to bad parsing logic. Thus, many servers see aPOST
request for/
and aGET
request for/
:This discrepancy is exploitable to bypass request filtering rules implemented in reverse proxies that ignore
0x
prefixes.The text was updated successfully, but these errors were encountered: