You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
β question about the decisions made in the repository
π Describe the bug. What is the current behavior?
Cheroot allows empty HTTP header names, which are not valid according to the field-name grammar from RFC 9110.
β What is the motivation / use case for changing the behavior?
In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated \r\n:\r\n equivalently to \r\n\r\n.
π‘ To Reproduce
Start a Cheroot-based HTTP server, and send it a request with an empty header name. For example,
GET / HTTP/1.1\r\n
Host: whatever\r\n
: no-name\r\n
\r\n
You will see that the request is accepted, and the empty header is treated just like any other header.
π‘ Expected behavior
Cheroot should respond 400.
This is what most other HTTP implementations (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) do.
π Environment
Cheroot version: 10.0.2.dev71+g1ff20b18
Python version: 3.11.9
OS: Linux 6.9.6
The text was updated successfully, but these errors were encountered:
β I'm submitting a ...
π Describe the bug. What is the current behavior?
Cheroot allows empty HTTP header names, which are not valid according to the field-name grammar from RFC 9110.
β What is the motivation / use case for changing the behavior?
In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated
\r\n:\r\nequivalently to\r\n\r\n.π‘ To Reproduce
Start a Cheroot-based HTTP server, and send it a request with an empty header name. For example,
You will see that the request is accepted, and the empty header is treated just like any other header.
π‘ Expected behavior
Cheroot should respond 400.
This is what most other HTTP implementations (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) do.
π Environment
The text was updated successfully, but these errors were encountered: