HTTP parser does not handle obs-fold correctly about iodine HOT 3 CLOSED

Wow, @dcepelik ,

Thanks for pointing this out! It looks important! 🤩🤩🤩🙏🏻🙏🏻🙏🏻

I bet that finding this issue wasn't easy 👏🏻👏🏻👏🏻

I think this issue could have raised some interesting security concerns if iodine was used as a proxy instead of an application server (header smuggling could occur if whitespace removal was performed)...

I'm off to read more about this issue and see what I can do to fix it.

Cheers,
Bo.

from iodine.

Hey @boazsegev, I have found a couple more issues while doing due diligence on Iodine. Please let me know if I can provide more details.

I think this issue could have raised some interesting security concerns if iodine was used as a proxy instead of an application server (header smuggling could occur if whitespace removal was performed)...

If multiple HTTP-aware components are stacked and at least two disagree about the meaning of the message, problems are bound to happen. I was specifically looking for ways to smuggle requests in and found unrelated issues.

from iodine.

Hi @dcepelik ,

When coding iodine I made the (poor?) assumption that it would always "hide" behind nginx, so I omitted some conformity tests from the parser (assuming these would be handled before the request arrives).

However, you are right in your approach and I am working on a fix for these issues. Since the parser is written in C, I might also consider replacing it with an open source (MIT licensed) alternative, especially if it is fast and keeps the same behavior (i.e., converts header names to lower case, allow UTF-8 header names, etc').

Very nice and creative work on attempting all these attack vectors and variations 👍🏻

from iodine.