Daphne allows `\x00` within header values.

Question

Daphne allows `\x00` within header values.

kenballus opened this issue 5 months ago · 3 comments

Steps to reproduce

Run this WSGI application with Daphne:

$ daphne -b 0.0.0.0 -p 80 server:app

(This application just base64-encodes and echos back various parts of the incoming request)

Send a request with a null byte in a header called Test, then extract and decode the Test header value:

$ printf 'GET / HTTP/1.1\r\nHost: whatever\r\nTest: a\x00a\r\n\r\n' \
| timeout 1 ncat --no-shutdown localhost 80 \
| grep 'headers' \
| jq '.["headers"][1][1]' \
| sed 's/"//g' \
| base64 -d \
| xxd
00000000: 6100 61                                  a.a

Observe that the null byte is present in the response.

What I expected to happen

RFC 9110 says this:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.

Daphne complies with this rule for CR and LF, so I expected that Daphne would also comply for NUL by either rejecting the request or replacing the null byte with a space.

Platform

Linux 6.9.6, Daphne main @ 0f15e45

Answer 1 · 2024-06-29T12:23:11.000Z

Hi @kenballus. Thanks for the report. Yes, that looks like something to clean up. Would you like to prepare a PR?

Answer 2 · 2024-06-29T15:10:21.000Z

Upon further investigation, I'm pretty sure this is a bug in Twisted. I'll submit a PR there.

Answer 3 · 2024-06-29T15:15:23.000Z

Ok, great. Please do let me know how you get on.