-
-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitespace is incorrectly stripped from the ends of header names, before the :
#2016
Comments
I am reporting this in public because reverse proxies are not as lenient as they once were, and I'm not aware of any reverse proxies that still forward spaces at the ends of header values. I imagine that such servers exist, but they are less used than they once were, so I estimate that the risk of this bug is low in the present day. |
This is likely something to address in Cheroot which is what actually implements HTTP underneath CherryPy. |
I wonder if resurrecting the abandoned effort of substituting the HTTP parsing with h11 would address this automatically... cherrypy/cheroot#201 / cherrypy/cheroot#262 |
I'll move this issue to Cheroot |
FYI I could've just transferred this issue there — just ask next time. I didn't do that initially because there's no reproducer/research verifying this yet. |
I'm submitting a ...
Do you want to request a feature or report a bug?
Report a bug.
What is the current behavior?
CherryPy strips whitespace from the ends of header names.
If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
Content-Length
header, before the:
, such as the following:Z
, indicating that it stripped the space from the end of the header name.What is the expected behavior?
RFC 9112, section 5.1 requires that requests with space after header names MUST be rejected:
What is the motivation / use case for changing the behavior?
In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling.
Please tell us about your environment:
Linux 29deec81efdd 6.7.2-arch1-2 #1 SMP PREEMPT_DYNAMIC Wed, 31 Jan 2024 09:22:15 +0000 x86_64 GNU/Linux
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)
Most other servers reject messages containing space before the
:
, as the standard requires. These include AIOHTTP, Apache httpd, Bun, Daphne, Deno, FastHTTP, Go net/http, Gunicorn, H2O, Hyper, Hypercorn, Jetty, Lighttpd, Mongoose, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick.The text was updated successfully, but these errors were encountered: