encode
Version 0.19.0
Checklist
- [x] #1640
- [ ] #1639
- [ ] #1642 or #1661
- [x] #1645
- [x] #1652
Diff: https://github.com/encode/uvicorn/compare/0.18.3...master Draft: missing
@Kludex httptools 5.0.0 just got released with the CVE fixes in llhttp. It seems it will get included in uvicorn automatically when you create a release, but i'm not sure. Perhaps, it's best to bump the version explicitly... thanks for checking it.
@Kludex httptools 5.0.0 just got released with the CVE fixes in llhttp. It seems it will get included in uvicorn automatically when you create a release, but i'm not sure. Perhaps, it's best to bump the version explicitly... thanks for checking it.
- #1645 :+1:
note. I made a PR in the httptools project for the latest llhttp (v6.0.10) update.. but guess it's wise to first proceed with this httptools 0.5.0 in uvicorn 0.19.0 and when we get a new httptools version, queue it for the following uvicorn...
note. I made a PR in the httptools project for the latest llhttp (v6.0.10) update.. but guess it's wise to first proceed with this httptools 0.5.0 in uvicorn 0.19.0 and when we get a new httptools version, queue it for the following uvicorn...
But there's nothing uvicorn needs to do... Unless the bump solved any CVE.
httptools v5.0.0 contains llhttp release/v6.0.9, this included some fixes for the 3 CVE's that where done in llhttp release/v6.0.7
llhttp release/v6.0.10 seems to update a resolution for CVE-2022-32213: Disable chunked on obs by @ShogunPanda in https://github.com/nodejs/llhttp/pull/196
nodejs https://github.com/nodejs/node/releases/tag/v18.9.1 has a paragraph about llhttp that mentions a bit more: bypass via obs-fold mechanic (Medium)(CVE-2022-32213 ): The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
There are 3 change's in src/llhttp/http.ts: https://github.com/nodejs/llhttp/commit/f49fbf5c818ccc7e4d9994393b8f8e1d96483d7e
So without reverse engineering the entire llhttp release/v6.0.10 commit it seemed to me there's actual improvements made for the CVE in relation to obs-fold's .. that i guess where missed in the patch for the same CVE. If you want to know more, please check the patch or ask ShokunPanda who makes the patches for the llhttp project.
I'm just a random user that's trying to be instrumental to get fixes into uvicorn asap.
This is the link I wanted: https://github.com/MagicStack/httptools/pull/86 🙏
I'm just a random user that's trying to be instrumental to get fixes into uvicorn asap.
uvicorn doesn't pin httptools. I've only bumped the minimum requirement of httptools to 0.5.0 to force users to bump it, but it was actually not needed. We are only blocked by httptools here.
@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10
Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI.
@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10
Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI.
Thanks for coming here, and let us know. Much appreciated! 🙏
@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10
Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI.
Thanks for coming here, and let us know. Much appreciated! 🙏
You're welcome! 😉