Stripping NUL from the ends of header values

Question

Stripping NUL from the ends of header values

kenballus opened this issue 7 months ago · 1 comments

WEBrick strips null bytes from the ends of header values. This presents a problem for reverse proxies that attempt enforce policies about header values and also allow null bytes in header values. At least one popular HTTP proxy server does this.

For example, if I have WEBrick deployed behind a reverse proxy that forwards null bytes in header values, and I add a rule to the reverse proxy to reject all requests with an Evil: evil header, I can bypass the rule by sending the following request:

GET / HTTP/1.1\r\n
Evil: evil\x00\r\n
\r\n

WEBrick should respond 400 to any request containing null bytes in a header value, because it's a violation of the standard, and indicative of a potential attack.

Answer 1 · 2023-12-01T20:48:52.000Z

I pushed a fix for this as part of #125.