Browse Source

[core] thwart h2 request tunnelling

Existing behavior: strict header parsing, strict host parsing, and
basic url normalization are enabled by default in lighttpd, and
protect against h2 request tunnelling attempts using invalid chars
in headers.

Keeping strict parsing settings enabled is strongly recommended.

If any are explicitly disabled in lighttpd.conf, then this patch takes
steps to thwart h2 request tunnelling.

x-ref:
  "HTTP/2: The Sequel is Always Worse"
  https://portswigger.net/research/http2
Glenn Strauss 2 months ago
parent
commit
f85dcba7ab
  1. 4
      src/request.c

4
src/request.c

@ -48,6 +48,7 @@ __attribute_pure__
static const char * http_request_check_line_minimal (const char * const restrict s, const uint_fast32_t len) {
for (uint_fast32_t i = 0; i < len; ++i) {
if (__builtin_expect( (s[i] == '\0'), 0)) return s+i;
if (__builtin_expect( (s[i] == '\n'), 0)) return s+i;
}
return NULL;
}
@ -1012,12 +1013,15 @@ static int http_request_parse_header_other(request_st * const restrict r, const
case ' ':
case '\t':
return http_request_header_line_invalid(r, 400, "WS character in key -> 400");
case '\r':
case '\n':
case '(':
case ')':
case '<':
case '>':
case '@':
case ',':
case ':':
case ';':
case '\\':
case '\"':

Loading…
Cancel
Save