Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No parsing of headers after malformed HTTP/1.1 header (e.g. space) #1374

Open
bwbroersma opened this issue Mar 29, 2024 · 0 comments
Open

No parsing of headers after malformed HTTP/1.1 header (e.g. space) #1374

bwbroersma opened this issue Mar 29, 2024 · 0 comments
Labels
bug Unexpected or unwanted behaviour of current implementations

Comments

@bwbroersma
Copy link
Collaborator

bwbroersma commented Mar 29, 2024
edited

No parsing of headers after malformed HTTP/1.1 header (e.g. space). It looks like this can only happen in HTTP/1.1?

See RFC 7230 page 23 and § 3.2.4 that field-name : value is not valid. Based on the related bugs, it seems at least possible to setup an invalid HTTP header in Microsoft IIS (2/3 cases are IIS).
@baknu noticed that 🦊 Firefox won't show these invalid headers in the Network tab in the Response Headers, even in 'Raw' view.

The problem is an upstream 🐛 bug in Python http.client which is used by Requests:

Related Requests 🐛 bugs:

Related issues:

Example https-client.py (used with $ python https-client.py target.host):

import http.client
import ssl
import sys

context = ssl.SSLContext()
context.options |= ssl.OP_NO_TICKET
host = sys.argv[1]
conn = http.client.HTTPSConnection(host,context=context)
conn.request("GET", "/", headers={"Host": host,"User-Agent":"internetnl/1.0","Accept": "*/*","Accept-Encoding":"deflate, gzip, br"})
response = conn.getresponse()
[print(f"{k}: {v}") for k,v in response.getheaders()]

Example curl (with a similar TLS ClientHello):

$ curl -A 'internetnl/1.0' 'https://target.host/' -D- -o/dev/null -sSf --http1.1 --compressed --no-alpn --no-npn

Doing a diff (skipping the Response line with | tail -n+2) results in:

Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.2.4
X-Powered-By: ASP.NET
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
> X-Content-Type-Options : nosniff
> Strict-Transport-Security: max-age=63072000
> Referrer-Policy: same-origin
> Content-Security-Policy: default-scr 'self'
> Date: Fri, 29 Mar 2024 14:59:16 GMT

The last 5 lines will be shown in curl, but won't be available in Requests / http.client (of course the other issue here is in the CSP, default-scr should be default-src).
@bwbroersma bwbroersma added the bug Unexpected or unwanted behaviour of current implementations label Mar 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Unexpected or unwanted behaviour of current implementations
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bwbroersma