Mailing List Archive: #1862: Request URL with whitespace is allowed

#1862: Request URL with whitespace is allowed

Feb 29, 2016, 1:15 AM

Post #1 of 5 (1131 views)

#1862: Request URL with whitespace is allowed
----------------------+---------------------
Reporter: espebra | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: unknown
Severity: normal | Keywords:
----------------------+---------------------
Client requests to {{{/foo bar}}} are accepted by varnishd and are handled
as/translated to {{{/foo}}} - which most likely will end up with the wrong
content being served. Requests to {{{/foo bar}}} are not properly encoded,
and thereby invalid according to the RFC.

RFC 7230 section 3.1.1 (https://tools.ietf.org/html/rfc7230#section-3.1.1)
says:

Recipients of an invalid request-line SHOULD respond with either a
400 (Bad Request) error or a 301 (Moved Permanently) redirect with
the request-target properly encoded. A recipient SHOULD NOT attempt
to autocorrect and then process the request without a redirect, since
the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.

I have attached a simple test case which passes with the current "non-RFC
compliant" behaviour.

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1862>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs

Re: #1862: Request URL with whitespace is allowed [ In reply to ]

varnish-bugs at varnish-cache

Feb 29, 2016, 1:17 AM

Post #2 of 5 (1102 views)

Permalink

Re: #1862: Request URL with whitespace is allowed [ In reply to ]

varnish-bugs at varnish-cache

Feb 29, 2016, 1:48 AM

Post #3 of 5 (1100 views)

Permalink

#1862: Request URL with whitespace is allowed
----------------------+--------------------
Reporter: espebra | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: 4.0.3
Severity: normal | Resolution:
Keywords: |
----------------------+--------------------

Comment (by Dridi):

In Espen's test case, the client URL is {{{"/foo bar"}}} and {{{"bar"}}}
leaks in {{{req.proto}}}, so we have a workaround:

{{{
sub vcl_recv {
if (req.proto !~ "^HTTP/1.[01]$") {
return (synth(400, "Bad Request"));
}
}
}}}

I'm personally leaning toward a 400 error because it's simple and it
doesn't acknowledge non-compliant clients (which I believe in most cases
would be malicious).

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1862#comment:2>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs

Re: #1862: Request URL with whitespace is allowed [ In reply to ]

varnish-bugs at varnish-cache

Feb 29, 2016, 2:11 AM

Post #4 of 5 (1102 views)

Permalink

Re: #1862: Request URL with whitespace is allowed [ In reply to ]

varnish-bugs at varnish-cache

Feb 29, 2016, 9:26 AM

Post #5 of 5 (1092 views)

Permalink

#1862: Request URL with whitespace is allowed
----------------------+--------------------
Reporter: espebra | Owner: Dridi
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: 4.0.3
Severity: normal | Resolution:
Keywords: |
----------------------+--------------------
Changes (by Dridi):

* owner: => Dridi

Comment:

Assigning to myself.

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1862#comment:4>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs