Quantcast

What squid should do with RFC non-compliant response header?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

What squid should do with RFC non-compliant response header?

Eliezer Croitoru
Hi List,

I noticed that there are broken services out-there which uses non RFC
compliance response header such as the case of space, for  example:
"Content Type:  hola amigos"

Compared to:
"Content-Type: Hola amigos"

Leaving aside if the content type is valid and is indeed  mime one and
looking only at the header name.
Should squid pass such a header or deny it?
What is expected from squid?
Should squid continue to handle the request or report an error?


Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What squid should do with RFC non-compliant response header?

L. A. Walsh
Eliezer Croitoru wrote:
> Hi List,
>
> I noticed that there are broken services out-there which uses non RFC
> compliance response header such as the case of space, for  example:
> "Content Type:  hola amigos"
>  
Hmmm....April 1?...

Seriously -- what would a user's browser do?  Probably depends on
browser, but browsers are notoriously accepting and most would
likely ignore a problem like that and try to use defaults to
decide on content and rendering.

So if you want your proxy to not look like a stick-in-the-mud
for standards, I'd just pass it on.  If a proxy rejected every
non-compliant web-page, some significant percentage of the web
would be unviewable.



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What squid should do with RFC non-compliant response header?

Eliezer Croitoru
Thanks for the reponse.
Actually browsers ignore the header as a response header and do not show it at all.
(at least firefox)
Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: L A Walsh [mailto:[hidden email]]
Sent: Wednesday, April 5, 2017 10:19 PM
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: What squid should do with RFC non-compliant response header?

Eliezer Croitoru wrote:
> Hi List,
>
> I noticed that there are broken services out-there which uses non RFC
> compliance response header such as the case of space, for  example:
> "Content Type:  hola amigos"
>  
Hmmm....April 1?...

Seriously -- what would a user's browser do?  Probably depends on browser, but browsers are notoriously accepting and most would likely ignore a problem like that and try to use defaults to decide on content and rendering.

So if you want your proxy to not look like a stick-in-the-mud for standards, I'd just pass it on.  If a proxy rejected every non-compliant web-page, some significant percentage of the web would be unviewable.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What squid should do with RFC non-compliant response header?

Amos Jeffries
Administrator
On 6/04/2017 7:32 a.m., Eliezer  Croitoru wrote:
> Thanks for the reponse.
> Actually browsers ignore the header as a response header and do not show it at all.
> (at least firefox)
> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese.
>

There is actually a CVE problem "HTTP request/response smuggling" in all
cases of the type you described.

I dont know why you are asking for votes or opinions on this. Once the
message formatting has been violated there is exactly zero ways for
software to tell where that broken header ends. What any particular
person expects does not enter into it. Zero is zero.


All the rest of the bytes received from the sender may be part of that
single broken header.  That includes the ':' that you *assumed* was end
of header name, and CRLF bytes which would in real HTTP syntax normally
signify end of header and/or end of message. The header is not HTTP
syntax, therefore HTTP syntax no longer applies and the CRLF plus other
lines that look on the surface like HTTP syntax could all be part of its
middle.
 Thus the smuggling CVE applies to all cases where the headers are
invalid at the syntax/format level.

There are exactly two things that can be done by a proxy when this type
of error is encountered:

 1) what the RFC says to do (and should be expected from any HTTP proxy)
- deliver the client a 4xx for broken requests or 5xx for broken
responses. Terminating the connection when the error is sent.

or
  2) truncate the message at the CRLF before the garbage and drop all
other bytes received on that connection. Terminate the connection when
the HTTP transaction is "completed".


Doing (2) might sound attractive in terms of getting something to the
user at any cost. But what the user actually sees is a range of bad
behaviour from incomplete web pages, to broken web applications, to
plain wrong responses coming back. With no indication of what is going
wrong.
 To give a clear idea of what is broken and where the problems is - the
best option for a proxy is (1). To do the same thing as a browser is
just creating harm.


FYI: The HTTP RFCs are based squarely in running code implementations
with decades of testing behind them now. Going against what is written
there is exactly the best way to cause yourself (and users) trouble and
pain when interacting with other HTTP software.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What squid should do with RFC non-compliant response header?

Alex Rousskov
On 04/06/2017 10:07 AM, Amos Jeffries wrote:
> On 6/04/2017 7:32 a.m., Eliezer  Croitoru wrote:
>> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese.


> There is actually a CVE problem "HTTP request/response smuggling" in all
> cases of the type you described.


> There are exactly two things that can be done by a proxy when this type
> of error is encountered:

>  1) [send an error message]
>  2) truncate the message at the CRLF before the garbage

There are many other reasonable things a proxy can do, with admin
permission, but it is pointless to discuss their details on squid-users
IMO. And yes, pretty much all of them may cause HTTP message smuggling.
They are useful as temporary compatibility workarounds, not universal
default solutions.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What squid should do with RFC non-compliant response header?

Eliezer Croitoru
Thanks Amos and Alex,

I have seen a scenario like that but while working with haproxy.
I believe that there is a difference between a "security" proxy appliance to some other kinds.
The enforcement of the RFC for headers computability seems like the right way to go for any general http proxy.
The issue may arise when some developer might do some mistake in php or another customisd service. Php doesn't enforce the header syntax and it is possible that a developer will run broken code.

For the case with haproxy it returned a 500 wrong response.
To test the issue I had to compare two\three cases such as:
- plain text file
- plain html file
- simple phpinfo() php script

When testing these the conclusion was that there is something wrong with the php code that the developer wrote.
At least I can say that I have not seen such an error in any open source web application that is based on php. So I believe that they have some hidden quality to do things the right way.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Alex Rousskov
Sent: Thursday, April 6, 2017 8:45 PM
To: [hidden email]
Subject: Re: [squid-users] What squid should do with RFC non-compliant response header?

On 04/06/2017 10:07 AM, Amos Jeffries wrote:
> On 6/04/2017 7:32 a.m., Eliezer  Croitoru wrote:
>> Technically I would expect squid to pass it but it's might have the potential for a CVE in some casese.


> There is actually a CVE problem "HTTP request/response smuggling" in
> all cases of the type you described.


> There are exactly two things that can be done by a proxy when this
> type of error is encountered:

>  1) [send an error message]
>  2) truncate the message at the CRLF before the garbage

There are many other reasonable things a proxy can do, with admin permission, but it is pointless to discuss their details on squid-users IMO. And yes, pretty much all of them may cause HTTP message smuggling.
They are useful as temporary compatibility workarounds, not universal default solutions.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...