Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pound forwards chunk sizes prefixed with 0x, -, and + #19

Closed
kenballus opened this issue Oct 10, 2023 · 1 comment
Closed

Pound forwards chunk sizes prefixed with 0x, -, and + #19

kenballus opened this issue Oct 10, 2023 · 1 comment

Comments

@kenballus
Copy link

kenballus commented Oct 10, 2023
edited
Loading

Because Pound parses chunk sizes using strtoll(, , 16), chunk sizes that begin with 0x are erroneously accepted and forwarded. - and + prefixes are also accepted for the same reason, though - is only accepted when the chunk size is 0. This is not permitted in the HTTP RFCs, and can lead to problems for downstream servers because some servers interpret chunk sizes that begin with 0x as equivalent to 0. This can be used for request smuggling against such servers.
@kenballus kenballus changed the title Pound accepts and forwards chunk-sizes prefixed with 0x. Pound forwards chunk sizes prefixed with 0x Oct 10, 2023
@kenballus kenballus changed the title Pound forwards chunk sizes prefixed with 0x Pound forwards chunk sizes prefixed with 0x, -, and + Oct 10, 2023
@graygnuorg
Copy link
Owner

Thanks for reporting. Fixed by 60a4f42 and f70db92.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@graygnuorg @kenballus