(CVE-2024-52530) Request smuggling via stripping of null bytes from the ends of header names
When Libsoup parses HTTP headers, it ignores null bytes at the ends of header names. Thus, Transfer-Encoding: chunked
is equivalent to Transfer-Encoding\x00: chunked
. This allows for request smuggling when Libsoup is used in a service that's behind a reverse proxy that forwards null bytes without stripping them.
For example, a malicious client might send the following request to one such reverse proxy:
POST / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding\x00: chunked\r\n
Content-Length: 32\r\n
\r\n
0\r\n\r\nGET / HTTP/1.1\r\nHost: a\r\n\r\n
The proxy would see one request, since it does not consider Transfer-Encoding\x00
to be equivalent to Transfer-Encoding
. When the proxy forwards the request, Libsoup will see two requests, because it will strip the null byte from the header, and Transfer-Encoding
takes priority over Content-Length
.
A reasonable fix would be to respond 400 to any request with a null byte in a header name.