httptools icon indicating copy to clipboard operation
httptools copied to clipboard

Published 20 hours ago verified publisher icon MagicStack

bump to llhttp v6.0.10

Open nlsj1985 opened this issue 3 years ago • 4 comments

Please bump httptools version. It seems that there was some parsing issue remaining with regard to the CVE's llhttp v6.0.10 changelog: http: disable chunked encoding when OBS fold is used

Fixes: https://hackerone.com/reports/1630336 Fixes: https://hackerone.com/reports/1665156 Fixes: https://hackerone.com/reports/1675191

nlsj1985 avatar Sep 24 '22 17:09 nlsj1985

I can't access any of those:

Fixes: https://hackerone.com/reports/1630336 Fixes: https://hackerone.com/reports/1665156 Fixes: https://hackerone.com/reports/1675191

Kludex avatar Sep 26 '22 11:09 Kludex

Yeah, sorry I thought one could read the hackerone reports after registering, but they aren't public (i can't access them also).

The release/change notes where a bit fuzzy when i read them the first time. This patch is related to CVE-2022-32213 (medium): llhttp doesn't correctly handle Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). You can ignore the other numbers.

v6.0.10 fixes "bypass via obs-fold mechanic" it seems.

nlsj1985 avatar Sep 26 '22 12:09 nlsj1985

Thanks 👍

And just to be sure, as I said on the uvicorn PR, we don't pin httptools version. We just bump the minimum version to force users to install versions that are not compromised. This means that if httptools bump the version, uvicorn users can already benefit from it.

Kludex avatar Sep 26 '22 12:09 Kludex

Thanks also!

nlsj1985 avatar Sep 26 '22 12:09 nlsj1985