ATS forwards invalid header names

Open kenballus opened this issue 2 years ago • 1 comments

ATS accepts and forwards header names containing the following characters, all of which RFC 9110 does not permit in header names: \t, , ", (, ), ,, /, ;, <, =, >, ?, @, [, \\, ], {, }, and the entire range from \x80 to \xff.

Of particular note is that ATS forwards \x85 and \xa0, because these characters are stripped by python's str.strip, and are therefore stripped from headers in a certain buggy HTTP server of which I am aware. This is essentially the same issue as the one fixed by https://github.com/apache/trafficserver/pull/3192, but affects only servers that treat \x85 and \xa0 as whitespace.

Sep 18 '23 23:09 kenballus

This is usable for request smuggling when ATS is in front of Gunicorn.

Dec 03 '23 17:12 kenballus