packages/netty3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
netty3/CVE-2019-16869.patch
wang--ge 2d31632a92 Fix CVE-2019-16869,CVE-2019-20444,CVE-2019-20445 
(cherry picked from commit b5dcfb9cf26eebff92094854f5f6c0feec79952b)
2024-08-28 10:47:32 +08:00

61 lines
2.6 KiB
Diff
Raw Blame History

From 39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 Mon Sep 17 00:00:00 2001
From: Norman Maurer <norman_maurer@apple.com>
Date: Fri, 20 Sep 2019 21:02:11 +0200
Subject: [PATCH] Correctly handle whitespaces in HTTP header names as defined
by RFC7230#section-3.2.4 (#9585)
Motivation:
When parsing HTTP headers special care needs to be taken when a whitespace is detected in the header name.
Modifications:
- Ignore whitespace when decoding response (just like before)
- Throw exception when whitespace is detected during parsing
- Add unit tests
Result:
Fixes https://github.com/netty/netty/issues/9571
---
.../handler/codec/http/HttpObjectDecoder.java | 16 +++++++++++++++-
.../codec/http/HttpRequestDecoderTest.java | 14 ++++++++++++++
.../codec/http/HttpResponseDecoderTest.java | 15 +++++++++++++++
3 files changed, 44 insertions(+), 1 deletion(-)
--- a/src/main/java/org/jboss/netty/handler/codec/http/HttpMessageDecoder.java
+++ b/src/main/java/org/jboss/netty/handler/codec/http/HttpMessageDecoder.java
@@ -700,7 +700,7 @@
cStart < cEnd? sb.substring(cStart, cEnd) : "" };
}
- private static String[] splitHeader(String sb) {
+ private String[] splitHeader(String sb) {
final int length = sb.length();
int nameStart;
int nameEnd;
@@ -711,7 +711,21 @@
nameStart = findNonWhitespace(sb, 0);
for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
char ch = sb.charAt(nameEnd);
- if (ch == ':' || Character.isWhitespace(ch)) {
+ // https://tools.ietf.org/html/rfc7230#section-3.2.4
+ //
+ // No whitespace is allowed between the header field-name and colon. In
+ // the past, differences in the handling of such whitespace have led to
+ // security vulnerabilities in request routing and response handling. A
+ // server MUST reject any received request message that contains
+ // whitespace between a header field-name and colon with a response code
+ // of 400 (Bad Request). A proxy MUST remove any such whitespace from a
+ // response message before forwarding the message downstream.
+ if (ch == ':' ||
+ // In case of decoding a request we will just continue processing and header validation
+ // is done in the DefaultHttpHeaders implementation.
+ //
+ // In the case of decoding a response we will "skip" the whitespace.
+ (!isDecodingRequest() && Character.isWhitespace(ch))) {
break;
}
}
Reference in New Issue View Git Blame Copy Permalink