Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cheroot cannot send a 400 response for requests with invalid chunked message bodies #718

Open
1 of 3 tasks
kenballus opened this issue Jun 16, 2024 · 1 comment
Open
1 of 3 tasks

Cheroot cannot send a 400 response for requests with invalid chunked message bodies #718

kenballus opened this issue Jun 16, 2024 · 1 comment
Labels
bug Something is broken triage

Comments

@kenballus
Copy link

❓ I'm submitting a ...

  • 🐞 bug report
  • 🐣 feature request
  • ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?
When a Cheroot-based WSGI server receives a request with an invalid chunked message body, it raises an exception upon attempting to access environ["wsgi.input"]. Unless I'm mistaken, the issue with this approach is twofold:

  • If environ["wsgi.input"] is never accessed, then the second request in a pipeline is assumed to be immediately following the end of headers of the first request. This leads to framing problems.
  • There is no graceful way to handle invalid chunked message bodies. A Cheroot-based server will either
    • Respond 500 (i.e., not catch the exception) when 400 would have been more appropriate, or
    • Explicitly respond 400, in which case the connection is not closed, and further requests will attempt to be parsed off the connection. This leads to framing problems.

❓ What is the motivation / use case for changing the behavior?
Prevention of request smuggling.

πŸ’‘ To Reproduce
Steps to reproduce the behavior:

  1. Start a Cheroot-Based WSGI server that accesses wsgi.input outside of a try block.
  2. Send it the following:
POST / HTTP/1.1\r\n
Host: a\r\n
Transfer-Encoding: chunked\r\n
\r\n
0 abc\r\n
\r\n
GET / HTTP/1.1\r\n
Host: a\r\n
\r\n
  1. Observe that it 500s.
  2. Add a try block around the access to wsgi.input, and respond 400 in the except block.
  3. Observe that the server responds 400 (as expected), but then responds 200 to the second request, even though a 400 should have caused the connection to be closed.

πŸ’‘ Expected behavior
Requests with invalid chunked message bodies should get 400s.

πŸ“‹ Environment

  • Cheroot version: main (1ff20b1)
  • Python version: 3.11.9
  • OS: Linux 6.9.1
@kenballus kenballus added bug Something is broken triage labels Jun 16, 2024
@kenballus
Copy link
Author

Other WSGI servers either automatically close the connection upon receipt of requests with invalid chunked message bodies (Waitress, Tornado) or close the connection automatically when a 400 response is sent manually (gunicorn).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is broken triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kenballus