You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
RFC 9110 specifies that header field names must be nonempty:
field-name = token
token = 1*tchar
FastHTTP does not enforce this rule, and allows empty header names.
For example, FastHTTP accepts the following request:
GET / HTTP/1.1\r\n
Host: a\r\n
: no-name\r\n
\r\n
\r\n
In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated \r\n:\r\n equivalently to \r\n\r\n.
Most HTTP servers (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) reject requests containing empty header names. FastHTTP should probably do the same.
The text was updated successfully, but these errors were encountered:
RFC 9110 specifies that header field names must be nonempty:
FastHTTP does not enforce this rule, and allows empty header names.
For example, FastHTTP accepts the following request:
In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated
\r\n:\r\nequivalently to\r\n\r\n.Most HTTP servers (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) reject requests containing empty header names. FastHTTP should probably do the same.
The text was updated successfully, but these errors were encountered: