Ben Kallus
Ben Kallus
@kgaughan, I encourage you to look at some of the parsing bugs that have been found to be exploitable in the past. Often, it's stuff that seems harmless in isolation,...
Also a problem when host is '['
My mistake; using `ParseResult.from_string` fixes this. I should have read the docs more thoroughly. Why is it that we have a non-validating parser? Some large projects (httpx) use this parser,...
> on which version did you test? I tested this on a Gunicorn built from source at the latest commit (bacbf8aa5152b94e44aa5d2a94aeaf0318a85248).
> What should we do now? return a 400 ? Yes.
Once again, you are demonstrating that you do not understand request smuggling. It's not about the app; it's about **upstream load balancers**. Suppose that you have the following scenario: ```...
The load balancer doesn't insert it; the client (attacker) does. You'd be surprised how many load balancers ignore and forward unrecognized `transfer-coding`s. Both Pound and LiteSpeed exhibited this behavior until...
> @kenballus nNot counting that the adivised way of using gunicorn is behind a proxy Request smuggling is only possible when there are intermediary servers involved. If Gunicorn were *not*...
Of course you could always glue the validation on top. The issue is that this is not handled automatically, as it is in nearly all other HTTP libraries.
Yep! And it's not just Libsoup :) We have a tool for finding these kinds of bugs over at https://github.com/narfindustries/http-garden I'd be happy to collaborate; send me an email! We...