Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Netty shouldn't allow the invalid fold.

See original GitHub issue

Expected behavior

Netty shouldn’t allow the invalid fold. According to RFC7230, https://tools.ietf.org/html/rfc7230#section-3.2.

header-field   = field-name ":" OWS field-value OWS

     field-name     = token
     field-value    = *( field-content / obs-fold )
     field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
     field-vchar    = VCHAR / obs-text

     obs-fold       = CRLF 1*( SP / HTAB )
                    ; obsolete line folding
                    ; see Section 3.2.4

A Sp or HTAB should follow the CRLF. But Netty allow a CRLF without a SP or HTAB. 2019-12-10下午7 58 09

Actual behavior

Netty accept invalid fold. This may casue http smuggling.

Steps to reproduce

Send a request like this:

POST / HTTP/1.1
Host: example.com
Connection: close
Content-Length: 5
Content-Length:
6

0

Minimal yet complete reproducer code (or URL to code)

Netty version

all

JVM version (e.g. `java -version`)

java version “1.8.0_181”

OS version (e.g. `uname -a`)

Darwin ZedddeMacBook-Pro.local 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64

Issue Analytics

State:
Created 4 years ago
Comments:12 (4 by maintainers)

Top GitHub Comments

1reaction

ZeddYucommented, Dec 11, 2019

@ZeddYu while I agree that there is an issue I can’t see how this could lead to http smuggling as netty will just create a header name with value 6 here.

@normanmaurer This maybe a little complex. According to the end of https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn, we can use a invalid CRLF to bypass some situation like this. 截屏2019-12-11下午5 50 42

0reactions

ssennath92commented, Feb 17, 2020

Can HTTP request smuggling be solved by disabling the reuse of back-end connections

Top Results From Across the Web

CVE-2019-20444 (CCN-175487) - CERT Civis.NET

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an...

K14752415: Netty vulnerability CVE-2019-20444 - AskF5

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP ... with an incorrect syntax, or might be interpreted as an "invalid fold.

HTTP Request Smuggling in Netty - Vulners

This allows an attacker to smuggle HTTP requests via an invalid line fold.\n", "cvss3": {"exploitabilityScore": 3.9, ...

CVE-2019-20444

Netty shouldn't allow the invalid fold. · Issue #9866 · netty/netty · GitHub, Exploit Issue Tracking Patch Third Party Advisory github.com

FrameDecoder (The Netty Project API Reference (3.5.13.Final))

Returns the internal cumulative buffer of this decoder. boolean, isUnfold(). void, messageReceived(ChannelHandlerContext ctx, MessageEvent e). Invoked when ...