SERVER-90260: Patched Fix Inconsistent Interpretation of HTTP Requests Smuggling #1591
+25
−95
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Description Summary
Affected of this project `mongodb/mongo` are vulnerable to HTTP Request Smuggling in the `twisted.web.http` module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.
```js
endOfLengthIndex = self._buffer.find(b";", 0, eolIndex)
if endOfLengthIndex == -1:
endOfLengthIndex = eolIndex
try:
length = int(self._buffer[0:endOfLengthIndex], 16)
except ValueError:
raise _MalformedChunkedDataError("Chunk-size must be an integer.")
if length < 0:
raise _MalformedChunkedDataError("Chunk-size must not be negative.")
elif length == 0:
```
```
self.assertEqual(
request.requestHeaders.getRawHeaders(b"spaces"),
[b"spaces spaces spaces"],
)
self.assertEqual(
request.requestHeaders.getRawHeaders(b"tab"),
[b"t \ta \tb"],
```
## Impact
The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.
CVE-2022-24801
CWE-444
**`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`**
imhunterand
changed the title
|
Thanks for making this pull request! We just need a couple of things from you to start our consideration of the PR. Can you please:
|
kelly-cs
changed the title
|
Hi @kelly-cs, I see the ticket you created SERVER-90260 is not found. could you please check the ticket? I cannot find it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description Summary
Affected of this project
mongodb/mongoare vulnerable to HTTP Request Smuggling in thetwisted.web.httpmodule which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.Impact
The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.
CVE-2022-24801
CWE-444
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H