Netty shouldn't allow the invalid fold.
See original GitHub issueExpected behavior
Netty shouldn’t allow the invalid fold. According to RFC7230, https://tools.ietf.org/html/rfc7230#section-3.2.
header-field = field-name ":" OWS field-value OWS
field-name = token
field-value = *( field-content / obs-fold )
field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
field-vchar = VCHAR / obs-text
obs-fold = CRLF 1*( SP / HTAB )
; obsolete line folding
; see Section 3.2.4
A Sp or HTAB should follow the CRLF. But Netty allow a CRLF without a SP or HTAB.
Actual behavior
Netty accept invalid fold. This may casue http smuggling.
Steps to reproduce
Send a request like this:
POST / HTTP/1.1
Host: example.com
Connection: close
Content-Length: 5
Content-Length:
6
0
Minimal yet complete reproducer code (or URL to code)
Netty version
all
JVM version (e.g. java -version
)
java version “1.8.0_181”
OS version (e.g. uname -a
)
Darwin ZedddeMacBook-Pro.local 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64
Issue Analytics
- State:
- Created 4 years ago
- Comments:12 (4 by maintainers)
Top Results From Across the Web
CVE-2019-20444 (CCN-175487) - CERT Civis.NET
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an...
Read more >K14752415: Netty vulnerability CVE-2019-20444 - AskF5
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP ... with an incorrect syntax, or might be interpreted as an "invalid fold.
Read more >HTTP Request Smuggling in Netty - Vulners
This allows an attacker to smuggle HTTP requests via an invalid line fold.\n", "cvss3": {"exploitabilityScore": 3.9, ...
Read more >CVE-2019-20444
Netty shouldn't allow the invalid fold. · Issue #9866 · netty/netty · GitHub, Exploit Issue Tracking Patch Third Party Advisory github.com
Read more >FrameDecoder (The Netty Project API Reference (3.5.13.Final))
Returns the internal cumulative buffer of this decoder. boolean, isUnfold(). void, messageReceived(ChannelHandlerContext ctx, MessageEvent e). Invoked when ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@normanmaurer This maybe a little complex. According to the end of https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn, we can use a invalid CRLF to bypass some situation like this.
Can HTTP request smuggling be solved by disabling the reuse of back-end connections