public security bugs #4

pajod · 2025-04-08T16:29:58Z

This contains only publicly documented security-sensitive parser issues in Gunicorn 23.0.0

This PR is meant to simplify testing patches and gather feedback on edge cases until decisions are made upstream.

missing URL validation for CONNECT method
- likelihood: only crafted requests
- exploitable if: behind proxy and application accepts CONNECT method
- impact: confused proxy (request smuggling)
- public issue: Parsing issue of the CONNECT method benoitc/gunicorn#3363
- public PR: refuse HTTP method CONNECT benoitc/gunicorn#3367
- UNFINISHED: should not use 405, see https://datatracker.ietf.org/doc/html/rfc9110#name-405-method-not-allowed
ignoring invalid whitespace in transfer-coding
- likelihood: only crafted requests
- exploitable if: incorrect proxy behavior
- impact: confused proxy (request smuggling)
- public issue: Gunicorn incorrectly strips certain characters from transfer-codings benoitc/gunicorn#3364
- public PR: remove whitespace in transfer-encoding benoitc/gunicorn#3369
NUL in URLs
- likelihood: only crafted requests
- exploitable if: incorrect proxy behavior
- impact: confused proxy (request smuggling)
- public issue: Gunicorn incorrectly accepts NUL within URIs benoitc/gunicorn#3371
- public PR: (permissive) request target validation benoitc/gunicorn#3373
pretending to support additional T-E
- likelihood: only crafted requests
- exploitable if: always (unless blocked by proxy)
- impact: confused application (wrong body), WAF bypass (checked body != used body)
- public PR: stop pretending to support gzip *request* transfer-encoding benoitc/gunicorn#3368
wrong host when using absolute-form or multiple host headers
- likelihood: rare (only unusual clients)
- exploitable if: incorrect proxy behavior
- impact: WAF bypass (checked URL != used URL)
- public issue: Issues in Parsing HTTP Request "Host" Header benoitc/gunicorn#3361
- public issue: Incorrect Handling of Absolute-Form Request-Target Authority benoitc/gunicorn#3370
- UNFINISHED: conflicting Host header is must be ignored, not refused
accepting requests lacking a host header
- likelihood: rare (only unusual clients and/or connections via unix sockets)
- exploitable if: application parses env
- impact: application crash upon receipt of unusual SERVER_NAME / SERVER_PORT
- public issue: Issues in Parsing HTTP Request "Host" Header benoitc/gunicorn#3361
invalid controls in chunk extensions
- likelihood: only crafted requests
- exploitable if: incorrect proxy behavior
- impact: confused proxy (request smuggling)
- public PR: fix: problematic parsing leniency in parsing chunk extensions benoitc/gunicorn#3327
informational responses to HTTP/1.0 requests
- likelihood: common
- exploitable if: incorrect or ancient proxy
- impact: confused proxy (response smuggling), confused client (partial response)
- public issue: unexpected informational 1xx responses benoitc/gunicorn#3374

Has special syntax and meaning for proxies, neither of which we fully implement, possibly confusing proxies.

being strict about how to parse the T-E header (if in doubt, refuse) avoids security implications of non-compliant HTTP proxies

as python url parser is not strict, something inside the url might be sufficient for framing disagreements with HTTP proxies

demand case-insensitive match of duplicate headers, or host header sent in url with absolute-form target UNFINISHED: This patch is not compliant with https://datatracker.ietf.org/doc/html/rfc9112#section-3.2.2-6 "When a proxy receives a request with an absolute-form of request-target, the proxy MUST ignore the received Host header field (if any) and instead replace it with the host information of the request-target."

pajod added 7 commits April 7, 2025 16:32

update docs

4bb0f06

CI: remove CPython 3.7 (EoL)

8064aa0

HTTP/1.0 - ignore Expect: 100-continue

0c724ac

refuse CONNECT method

4a7a83e

Has special syntax and meaning for proxies, neither of which we fully implement, possibly confusing proxies.

stop silently dropping T-E header parts

772222c

being strict about how to parse the T-E header (if in doubt, refuse) avoids security implications of non-compliant HTTP proxies

refuse confusing control chars in chunk-ext & url

9d27f4f

as python url parser is not strict, something inside the url might be sufficient for framing disagreements with HTTP proxies

pajod force-pushed the gunicorn23-security branch from 38b728b to d2033b0 Compare April 8, 2025 16:33

pajod added 2 commits April 10, 2025 15:55

UNFINISHED: extra tests

5371889

optin codeQL advanced

52c4162

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

public security bugs #4

public security bugs #4

pajod commented Apr 8, 2025 •

edited

Loading

public security bugs #4

Are you sure you want to change the base?

public security bugs #4

Conversation

pajod commented Apr 8, 2025 • edited Loading

pajod commented Apr 8, 2025 •

edited

Loading