Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WSGI header spoofing via underscore/dash conflation #2799

Closed
TomiBelan opened this issue May 18, 2022 · 0 comments · Fixed by #3113
Closed

WSGI header spoofing via underscore/dash conflation #2799

TomiBelan opened this issue May 18, 2022 · 0 comments · Fixed by #3113
Labels
Feature/Http

Comments

@TomiBelan
Copy link
Contributor

Gunicorn normalizes headers by converting dashes to underscores. Both Foo-Bar and Foo_Bar become HTTP_FOO_BAR. Additionally, if the HTTP request contains both Foo-Bar: a and Foo_Bar: b, Gunicorn merges them to {'HTTP_FOO_BAR': 'a,b'}.

This can lead to vulnerabilities in some web apps. If a header is used in a security-sensitive way (for instance, passing authentication information along from a front-end proxy), even if the proxy carefully strips any incoming value for X-Auth-User, an attacker may be able to provide an X-Auth_User header (with underscore) and bypass this protection.

Another example: if the attacker sets X_Forwarded_For: 5.6.7.8 (fake IP) and the front proxy sets X-Forwarded-For: 1.2.3.4 (real IP), the Python app could see 1.2.3.4,5.6.7.8 or 5.6.7.8,1.2.3.4 depending on the proxy's header order.

See also: https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html

Because of this risk, many servers ignore any header whose name contains underscores.

What should Gunicorn do about this?

  • "Always ignore headers with underscores." - Probably a bad idea, I'm sure many Gunicorn users rely on the current behavior.
  • "Add an option like Nginx's underscores_in_headers, default to ignore them." - My personal favorite option, but it is probably a major compatibility break. And it will definitely cause some confusion - every server that made this change has a ton of online questions asked about it.
  • "Add an option like Nginx's underscores_in_headers, default to allow them." - Sad, but at least some users can opt-in.
@Tankilevitch Tankilevitch mentioned this issue Apr 30, 2023
Merged
@benoitc benoitc added this to the 21.0 release milestone May 7, 2023
@pajod pajod mentioned this issue Dec 12, 2023
Merged
@jeremystretch jeremystretch mentioned this issue Apr 29, 2024
Closed
@evgeni evgeni mentioned this issue Jun 13, 2024
Closed
evgeni added a commit to evgeni/puppet-pulpcore that referenced this issue Sep 4, 2024
@evgeni
Don't use underscores in HTTP headers
a3f3e89 
Those are rejected by Gunicorn 22+, see [1] for details.
For older releases of Gunicorn we still unset the underscore notation.

[1] benoitc/gunicorn#2799
@evgeni evgeni mentioned this issue Sep 4, 2024
Merged
ekohl pushed a commit to theforeman/puppet-pulpcore that referenced this issue Sep 4, 2024
@evgeni @ekohl
Don't use underscores in HTTP headers
5aebaae 
Those are rejected by Gunicorn 22+, see [1] for details.
For older releases of Gunicorn we still unset the underscore notation.

[1] benoitc/gunicorn#2799
Odilhao pushed a commit to Odilhao/puppet-pulpcore that referenced this issue Oct 11, 2024
@evgeni
Don't use underscores in HTTP headers
a42e8fd 
Those are rejected by Gunicorn 22+, see [1] for details.
For older releases of Gunicorn we still unset the underscore notation.

[1] benoitc/gunicorn#2799
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature/Http
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix numerous message parsing issues (v2) pajod/gunicorn
2 participants
@benoitc @TomiBelan