Message 358833 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	tburke
Recipients	barry, maxking, r.david.murray, tburke
Date	2019-12-23.20:35:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1577133339.21.0.310043555445.issue37093@roundup.psfhosted.org>
In-reply-to

Content
Note that because http.server uses http.client to parse headers [0], this can pose a request-smuggling vector depending on how you've designed your system. For example, you might have a storage system with a user-facing HTTP server that is in charge of * authenticating and authorizing users, * determining where data should be stored, and * proxying the user request to the backend and a separate (unauthenticated) HTTP server for actually storing that data. If the proxy and backend are running different versions of CPython (say, because you're trying to upgrade an existing py2 cluster to run on py3), they may disagree about where the request begins and ends -- potentially causing the backend to process multiple requests, only the first of which was authorized. See, for example, https://bugs.launchpad.net/swift/+bug/1840507 For what it's worth, most http server libraries (that I tested; take it with a grain of salt) seem to implement their own header parsing. Eventlet was a notable exception [1]. [0] https://github.com/python/cpython/blob/v3.8.0/Lib/http/server.py#L336-L337 [1] https://github.com/eventlet/eventlet/pull/574

Note that because http.server uses http.client to parse headers [0], this can pose a request-smuggling vector depending on how you've designed your system. For example, you might have a storage system with a user-facing HTTP server that is in charge of

* authenticating and authorizing users,
* determining where data should be stored, and
* proxying the user request to the backend

and a separate (unauthenticated) HTTP server for actually storing that data. If the proxy and backend are running different versions of CPython (say, because you're trying to upgrade an existing py2 cluster to run on py3), they may disagree about where the request begins and ends -- potentially causing the backend to process multiple requests, only the first of which was authorized.

See, for example, https://bugs.launchpad.net/swift/+bug/1840507

For what it's worth, most http server libraries (that I tested; take it with a grain of salt) seem to implement their own header parsing. Eventlet was a notable exception [1].

[0] https://github.com/python/cpython/blob/v3.8.0/Lib/http/server.py#L336-L337
[1] https://github.com/eventlet/eventlet/pull/574

History
Date	User	Action	Args
2019-12-23 20:35:39	tburke	set	recipients: + tburke, barry, r.david.murray, maxking
2019-12-23 20:35:39	tburke	set	messageid: <1577133339.21.0.310043555445.issue37093@roundup.psfhosted.org>
2019-12-23 20:35:39	tburke	link	issue37093 messages
2019-12-23 20:35:38	tburke	create