Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cheroot ignores the Content-Length header when the connection is half-closed. #724

Open
1 of 3 tasks
kenballus opened this issue Jul 4, 2024 · 0 comments
Open
1 of 3 tasks

Cheroot ignores the Content-Length header when the connection is half-closed. #724

kenballus opened this issue Jul 4, 2024 · 0 comments
Labels
bug Something is broken triage

Comments

@kenballus
Copy link

❓ I'm submitting a ...

  • 🐞 bug report
  • 🐣 feature request
  • ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?
From RFC 9112:

If a valid Content-Length header field is present without Transfer-Encoding, its decimal value defines the expected message body length in octets. If the sender closes the connection or the recipient times out before the indicated number of octets are received, the recipient MUST consider the message to be incomplete and close the connection.

Cheroot does not enforce this rule. When it receives a request, and the sender half-closes the connection, Cheroot responds regardless of whether the request's body has been fully received.

❓ What is the motivation / use case for changing the behavior?
RFC compliance and hardening against potential framing-related attacks.

πŸ’‘ To Reproduce

  1. Start a Cheroot-based HTTP server that echos the message body. (e.g., this one)
  2. Send it a request with an incomplete message body, followed by half-closing the socket, and observe that it still responds:
printf 'GET / HTTP/1.1\r\nHost: a\r\nContent-Length: 10\r\n\r\nA' | nc localhost 80
HTTP/1.1 200 OK
Content-type: application/json
Content-Length: 133
Date: Thu, 04 Jul 2024 16:12:55 GMT
Server: Cheroot/10.0.2.dev71+g1ff20b18

{"headers":[["SE9TVA==","YQ=="],["Q09OVEVOVF9MRU5HVEg=","MTA="]],"body":"QQ==","version":"SFRUUC8xLjE=","uri":"Lw==","method":"R0VU"}
  1. Decode the response to see that it accepted the incomplete message body:
printf '{"headers":[["SE9TVA==","YQ=="],["Q09OVEVOVF9MRU5HVEg=","MTA="]],"body":"QQ==","version":"SFRUUC8xLjE=","uri":"Lw==","method":"R0VU"}' \
    | jq '.["body"]' \
    | xargs echo \
    | base64 -d \
    | xxd
00000000: 41                                       A

πŸ’‘ Expected behavior
Cheroot should close the connection, as the RFC requires.

πŸ“‹ Environment

  • Cheroot version: 10.0.2.dev71+g1ff20b18
  • Python version: 3.11.9
  • OS: Linux d8087152685c 6.9.7-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 28 Jun 2024 04:32:50 +0000 x86_64 GNU/Linux
@kenballus kenballus added bug Something is broken triage labels Jul 4, 2024
@kenballus kenballus changed the title Cheroot doesn't ignores the Content-Length header when the connetion is half-closed. Cheroot ignores the Content-Length header when the connetion is half-closed. Jul 4, 2024
@kenballus kenballus changed the title Cheroot ignores the Content-Length header when the connetion is half-closed. Cheroot ignores the Content-Length header when the connection is half-closed. Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is broken triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kenballus