You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
werkzeug currently parses Content-Length using int. This causes problems because int accepts a lot more than should be acceptable in that field. The biggest problem characters are, '-', '+', and '_'.
Examples
HTTP requests in which werkzeug misinterprets content-length (assume all newlines are CRLF):
Underscore between digits
GET / HTTP/1.1
Connection: close
Host: whatever
Content-Length: 0_1
Plus sign prefix
GET / HTTP/1.1
Connection: close
Host: whatever
Content-Length: +1
Solution
The set of things you want to accept in a Content-Length header is not equal to the set of things that can get through int without error. During Content-Length parsing, check that the value is all ASCII digits before accepting. A more principled approach would reject all invalid Content-Length fields instead of just ignoring them. This is the approach taken by a large majority of other HTTP servers.
Versions
CPython version: 3.10.11
werkzeug version: main
The text was updated successfully, but these errors were encountered:
That's annoying, int parses all of +123, 1_23, and ١٢٣ as 123, as does float. This feels vaguely security related, although I can't tell how. In the future, please draft a GitHub security advisory https://github.com/pallets/werkzeug/security/advisories to report issues like this.
Description
werkzeug currently parses Content-Length using
int
. This causes problems becauseint
accepts a lot more than should be acceptable in that field. The biggest problem characters are, '-', '+', and '_'.Examples
HTTP requests in which werkzeug misinterprets content-length (assume all newlines are CRLF):
Underscore between digits
Plus sign prefix
Solution
The set of things you want to accept in a Content-Length header is not equal to the set of things that can get through
int
without error. During Content-Length parsing, check that the value is all ASCII digits before accepting. A more principled approach would reject all invalid Content-Length fields instead of just ignoring them. This is the approach taken by a large majority of other HTTP servers.Versions
CPython version: 3.10.11
werkzeug version: main
The text was updated successfully, but these errors were encountered: