Stripping NUL from the ends of header values
kenballus opened this issue · 1 comments
kenballus commented
WEBrick strips null bytes from the ends of header values. This presents a problem for reverse proxies that attempt enforce policies about header values and also allow null bytes in header values. At least one popular HTTP proxy server does this.
For example, if I have WEBrick deployed behind a reverse proxy that forwards null bytes in header values, and I add a rule to the reverse proxy to reject all requests with an Evil: evil
header, I can bypass the rule by sending the following request:
GET / HTTP/1.1\r\n
Evil: evil\x00\r\n
\r\n
WEBrick should respond 400 to any request containing null bytes in a header value, because it's a violation of the standard, and indicative of a potential attack.
jeremyevans commented
I pushed a fix for this as part of #125.