8000 [io] http: improper handling of invalid `Transfer-Encoding`s · Issue #60481 · dart-lang/sdk · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[io] http: improper handling of invalid Transfer-Encodings #60481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kenballus opened this issue Apr 4, 2025 · 0 comments
Open

[io] http: improper handling of invalid Transfer-Encodings #60481

kenballus opened this issue Apr 4, 2025 · 0 comments
Assignees
@brianquinlan
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. library-io triaged Issue has been triaged by sub team

Comments

@kenballus
Copy link 
dart info

#### General info

- Dart 3.8.0-edge.f07915cb6e9da7efd5ad66a81d597ec5fa595440 (main) (Wed Mar 26 14:08:23 2025 -0700) on "linux_x64"
- on linux / Linux 6.12.21-1-lts #1 SMP PREEMPT_DYNAMIC Sat, 29 Mar 2025 06:39:46 +0000
- locale is en_US

#### Process info

| Memory |  CPU | Elapsed time | Command line     |
| -----: | ---: | -----------: | ---------------- |
| 120 MB | 0.2% |        09:46 | dart server.dart |

Bug 1: Dart does not recognize the ",chunked" transfer-coding.

RFC 9112 defines the acceptable values of a Transfer-Encoding header as follows:

Transfer-Encoding = #transfer-coding

The meaning of the "#" symbol is given in RFC 9110, section 5.6.1:

A construct "#" is defined, similar to "*", for defining comma-delimited lists of elements. The full form is "#element" indicating at least and at most elements, each separated by a single comma (",") and optional whitespace (OWS, defined in Section 5.6.3).

Thus, a Transfer-Encoding header value consists of 0 or more comma-separated transfer-codings. (A transfer-coding is just a token with an optional trailing parameter. By far the most widely-used transfer-coding is "chunked".)

RFC 9110, section 5.6.1.2 goes on to state the following:

A recipient MUST parse and ignore a reasonable number of empty list elements: enough to handle common mistakes by senders that merge values, but not so much that they could be used as a denial-of-service mechanism.

Therefore, a recipient of a message with a "Transfer-Encoding: ,chunked" header must ignore the leading "," and treat the header equivalently to "Transfer-Encoding: chunked".

The HTTP parser in the Dart standard library does not do this. Instead, it treats ",chunked" as a distinct transfer-coding from "chunked".

Bug 2: Dart ignores unrecognized transfer-codings.

From RFC 9112:

A server that receives a request message with a transfer coding it does not understand SHOULD respond with 501 (Not Implemented).

The HTTP parser in the Dart standard library does not do this. Instead, it treats messages with unrecognized transfer-codings as though they have no message bodies.

These bugs can be used for request smuggling when the Dart stdlib HTTP implementation is used as a server behind certain load balancers.
@lrhn lrhn added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. library-io labels Apr 4, 2025
@a-siva a-siva added the triaged Issue has been triaged by sub team label Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brianquinlan brianquinlan

Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. library-io triaged Issue has been triaged by sub team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lrhn @a-siva @brianquinlan @kenballus
0