HTTP response splitting vulnerability #719

kevindixon · 2020-07-23T08:50:33Z

See https://app.snyk.io/vuln/SNYK-PYTHON-UVICORN-570471

tomchristie · 2020-07-23T09:09:42Z

Heya, so it looks like this needs to be resolved in httptools, right?

kevindixon · 2020-07-23T09:34:58Z

@tomchristie if that question is directed at me... honestly I have no idea.
Just a dumb client using the library with no time to dig under the hood... :-)

snoopysecurity · 2020-07-27T11:34:00Z

Hey @tomchristie, what part of the uvicorn deals with parsing http headers? could be a httptools problem. i believe it would be a case of adding some extra validation to check for %0d(CR),%0a(LF) characters. Maybe the below commits from similar issues would help

tomchristie · 2020-07-27T11:38:48Z

Yup first step is double checking if it's directly in httptools that this needs addressing. (Looks like it but I've not dived into it.)

Really this ought to be getting dealt with privatly, but that's my bad, Snyk did notify me about this via email, but I've been too over-committed with everything to have dug into it yet.

tomchristie mentioned this issue Jul 28, 2020

Disallow invalid header characters #725

Merged

tomchristie closed this as completed in #725 Jul 28, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTTP response splitting vulnerability #719

HTTP response splitting vulnerability #719

kevindixon commented Jul 23, 2020

tomchristie commented Jul 23, 2020

kevindixon commented Jul 23, 2020

snoopysecurity commented Jul 27, 2020

tomchristie commented Jul 27, 2020

HTTP response splitting vulnerability #719

HTTP response splitting vulnerability #719

Comments

kevindixon commented Jul 23, 2020

tomchristie commented Jul 23, 2020

kevindixon commented Jul 23, 2020

snoopysecurity commented Jul 27, 2020

tomchristie commented Jul 27, 2020