BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding
Nathan Davison (@ndavison) reported that in legacy mode we don't
correctly reject requests or responses featuring a transfer-encoding
header missing the "chunked" value. As mandated in the protocol spec,
the test verifies that "chunked" is the last one, but only does so when
it is present. As such, "transfer-encoding: foobar" is not rejected,
only "transfer-encoding: chunked, foobar" will be.
The impact is limited, but if combined with "http-reuse always", it
could be used as a help to construct a content smuggling attack against
a vulnerable component employing a lenient parser which would ignore
the content-length header as soon as it sees a transfer-encoding one,
without even parsing it. In this case haproxy would fail to protect it.
The fix consists in completing the existing checks to verify that
"chunked" was present if any "transfer-encoding" header was met,
otherwise either reject the request message or make the response
end on a close.
This fix is only for 2.0 and older versions as legacy mode was
removed from 2.1. It should be backported to all maintained versions.
1 file changed