Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vendored llhttp 8.1.1 is vulnerable #111

Closed
mgorny opened this issue Oct 16, 2024 · 4 comments · Fixed by #113
Closed

Vendored llhttp 8.1.1 is vulnerable #111

mgorny opened this issue Oct 16, 2024 · 4 comments · Fixed by #113

Comments

@mgorny
Copy link
Contributor

mgorny commented Oct 16, 2024

httptools is currently vendoring llhttp 8.1.1 which is vulnerable to CVE-2024-27982.
elprans added a commit that referenced this issue Oct 16, 2024
@elprans
Bump bundled llhttp to 9.2.1
18039a3 
CVE-2024-27982

Adjust tests that relied on header folding.

Fixes: #111
@elprans elprans mentioned this issue Oct 16, 2024
Merged
@mgorny
Copy link
Contributor Author

mgorny commented Oct 16, 2024

And after upgrading to 8.1.2, I'm seeing failures, because it no longer accepts multiline headers. FWICS, it may be possible to avoid this by using llhttp_set_lenient_headers(), but I guess that reintroduces the vulnerability. Alternatively, the tests could be updated not to rely on that anymore but I don't know if that's going to break consumers or not.

@elprans
Copy link
Member

elprans commented Oct 16, 2024

Yeah, I went with the latter approach in #113, though maybe httptools should expose the lenient_headers opt-in in case people rely on it.

elprans added a commit that referenced this issue Oct 16, 2024
@elprans
Bump bundled llhttp to 9.2.1
381aaef 
CVE-2024-27982

Expose leniency flags via the new `set_dangerous_leniencies` parser
method if somebody needs to opt into the old vulnerable behavior.

Fixes: #111
@elprans
Copy link
Member

elprans commented Oct 16, 2024

Alright, I rerolled #113 with leniency flags exposed.

elprans added a commit that referenced this issue Oct 16, 2024
@elprans
Bump bundled llhttp to 9.2.1 (#113)
560bd9e 
CVE-2024-27982

Expose leniency flags via the new `set_dangerous_leniencies` parser
method if somebody needs to opt into the old vulnerable behavior.

Fixes: #111
@mgorny
Copy link
Contributor Author

mgorny commented Oct 16, 2024

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump bundled llhttp to 9.2.1 MagicStack/httptools
2 participants
@mgorny @elprans