Support UTF8 in request headers #981
Comments
|
This is bound to cause security issues if sozu and the backend server do not follow the same specification for header parsing. RFC 2616 allowed header values in ISO-8859-1 and it was already causing issues |
|
This is one of my concerns but I admit I can't find a scenario that causes security issues. If you can provide examples (for UTF-8 or ISO-8859-1) I would greatly appreciate it. Unfortunately, this will parse valid as well as malformed UTF-8, so we will not be able to use As a side note, while Cloudflare documents the header charset restriction we already had issues with some of its services adding UTF-8 headers (for example |
|
The issue of special characters in headers is addressed in this PR on Kawa if I'm fot mistaken. Should we close the issue @Wonshtrum ? |
Look up HTTP request or header smuggling, there's a lot of fun variants. the basic idea is that you have a proxy and a webserver behind it that do not interpret requests in the same way. An additional request can be sent to the server that the proxy wuld not log, a header might be seen with a different value, etc. Here's one example: |
|
Keksoj This PR in Kawa only adds support for ISO-8859-1 to reintroduce the |
For now Sōzu follows RFC7230 for allowed characters in HTTP headers, that forbids UTF8 characters and returns a 400.
It could be beneficial to perform a simple passthrough, since more and more traffic contains UTF8 in headers (typically in non-english speaking countries).
This may have to be done in Kawa.
The text was updated successfully, but these errors were encountered: