Client GET requests with transfer-encoding are wrongly stripped #1925
Assignees
Comments
seanmonstar
added
A-http1
seanmonstar
added a commit
that referenced
this issue
Sep 4, 2019
seanmonstar
added a commit
that referenced
this issue
Sep 4, 2019
Demi-Marie
added a commit
to paritytech/substrate
that referenced
this issue
Sep 26, 2019
without adding a Transfer-Encoding or Content-Length header. This has always been wrong, but hyperium/hyper#1925 hid the bug until hyper was upgraded to 0.12.35.
Demi-Marie
added a commit
to paritytech/substrate
that referenced
this issue
Oct 2, 2019
* Update all dependencies * Upgrade dependencies whenever “easy” “easy” means that there are no major changes required. * Fix build and bump paste dependency to 0.1.6 * Remove dead code * Re-add = dependency for futures-preview * Add missing std features for runtime-io * Remove git dependencies as updated versions have been published to crates.io * try to debug bug * For sr-io, "std" should imply "no_oom" and "no_panic_handler". Otherwise, rustc complains (correctly) about duplicate lang items. * Add missing "runtime-io/std" features * Fix compilation errors * Prevent duplicate lang items Rust does not allow duplicate lang items. When compiled without the `std` feature, `sr-io` defines two lang items. Therefore, `sr-io` compiled without `feature = "std"` must not be linked with `std`. However, `pwasm-utils` and `wasmi-validation` both bring in `std` unless compiled with `default-features = "false"`. This caused a duplicate lang item error. Building both with `default-features = "false"` prevents this error. When building with `feature = "std"`, they should both be built with the `std` feature, so this feature needs to be explicitly depended on. * Bump `impl_version` * Make tests pass Three tests used 1 less gas than they had previously. * Try to un-break build * Add a Cargo.lock file * Revert offchain code * Revert "Revert offchain code" This reverts commit d216d08. * Don’t try to send a body with a GET request without adding a Transfer-Encoding or Content-Length header. This has always been wrong, but hyperium/hyper#1925 hid the bug until hyper was upgraded to 0.12.35. * Change some more GET requests to POST requests * Fix excess line width and remove an `extern crate` * Delete commented-out extern crate Co-Authored-By: Sergei Pepyakin <[email protected]> * Fix regression in Cargo.toml files dev-dependencies need `default-features = false`, too. * Bump parity-wasm dependency * Bump `futures-preview` * Apply suggestions from code review Co-Authored-By: Bastian Köcher <[email protected]> * Update Cargo.lock files * Apply suggestions from code review Co-Authored-By: Bastian Köcher <[email protected]> * Update core/service/src/chain_ops.rs Co-Authored-By: Sergei Pepyakin <[email protected]>
|
FYI there is a PR open against RustSec vulnerability database describing this issue as a potential request smuggling vector: rustsec/advisory-db#255 This article provides a nice explanation of request smuggling vulnerabilities: https://portswigger.net/web-security/request-smuggling Any additional info from the maintainers would be appreciated. |
This was referenced Apr 1, 2020
|
do you have an example of a curl request that would work for request smuggling? @seanmonstar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The client wrongly strips
transfer-encoding: chunkedfrom GET requests, thinking that GET requests shouldn't have payloads. However, that's not explicitly true:The original implementation was trying to protect from empty
Body::wrap_stream(some_empty_stream)s automatically addingtransfer-encoding: chunkedto a GET request.The fix should probably still protect against that, but if the
transfer-encodingheader has been explicitly set on theRequest, it should be forwarded as-is.The text was updated successfully, but these errors were encountered: