Prevent HTTP request smuggling via Header normalization

As identified in RUSTSEC-2020-0031, normalizing the value of a header field (through the use of `str::trim`) can make applications based on this library vulnerable to HTTP request smuggling if the immediate upstream load balancer interprets the malformed header in a different way. This backported patch based on a PR opened against master. [1] [1]: tiny-http#190
bradfier · Jan 21, 2021 · d47ea0c · d47ea0c
1 parent b5b44bc
commit d47ea0c
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/src/common.rs b/src/common.rs
@@ -248,7 +248,13 @@ impl FromStr for HeaderField {
     type Err = ();
 
     fn from_str(s: &str) -> Result<HeaderField, ()> {
-        AsciiString::from_ascii(s.trim()).map(HeaderField).map_err(|_| () )
+        if s.contains(char::is_whitespace) {
+            Err(())
+        } else {
+            AsciiString::from_ascii(s)
+                .map(HeaderField)
+                .map_err(|_| ())
+        }
     }
 }
 
@@ -469,4 +475,17 @@ mod test {
         assert!(header.field.equiv(&"time"));
         assert!(header.value.as_str() == "20: 34");
     }
+
+    // This tests resistance to RUSTSEC-2020-0031: "HTTP Request smuggling through malformed
+    // Transfer Encoding headers" (https://rustsec.org/advisories/RUSTSEC-2020-0031.html).
+    #[test]
+    fn test_strict_headers() {
+        assert!("Transfer-Encoding : chunked".parse::<Header>().is_err());
+        assert!(" Transfer-Encoding: chunked".parse::<Header>().is_err());
+        assert!("Transfer Encoding: chunked".parse::<Header>().is_err());
+        assert!(" Transfer\tEncoding : chunked".parse::<Header>().is_err());
+        assert!("Transfer-Encoding: chunked".parse::<Header>().is_ok());
+        assert!("Transfer-Encoding: chunked ".parse::<Header>().is_ok());
+        assert!("Transfer-Encoding:   chunked ".parse::<Header>().is_ok());
+    }
 }
diff --git a/tests/input-tests.rs b/tests/input-tests.rs
@@ -81,3 +81,15 @@ fn unsupported_expect_header() {
     client.read_to_string(&mut content).unwrap();
     assert!(&content[9..].starts_with("417"));   // 417 status code
 }
+
+#[test]
+fn invalid_header_name() {
+    let mut client = support::new_client_to_hello_world_server();
+
+    // note the space hidden in the Content-Length, which is invalid
+    (write!(client, "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\nContent-Type: text/plain; charset=utf8\r\nContent-Length : 5\r\n\r\nhello")).unwrap();
+
+    let mut content = String::new();
+    client.read_to_string(&mut content).unwrap();
+    assert!(&content[9..].starts_with("400 Bad Request")); // 400 status code
+}