Opened 3 years ago

Closed 2 years ago

#1435 closed defect (wontfix)

NGINX allows sending of a malformed header per RFC7540 Section 10.3

Reported by: saeohioalpha@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.13.x
Keywords: Cc:
uname -a: Linux web02 4.9.50-x86_64-linode86 #1 SMP Thu Sep 14 19:28:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-openssl=/root/openssl-1.1.0f/ --add-module=/root/ngx_pagespeed-1.12.34.3-stable --prefix=/opt/nginx --with-http_ssl_module --with-http_slice_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --with-http_sub_module --with-http_stub_status_module --with-http_flv_module --with-http_xslt_module --with-http_image_filter_module --with-mail --with-mail_ssl_module --with-http_mp4_module --with-http_v2_module

Description

NGINX allows a header to be sent containing CRLF. At the moment Firefox crashes out when receiving them, and Chrome allows, and parses, the malformed header. There is currently a bug submitted to Chrome to fix this behavior.

This centers around the following:

While most of the values that can be encoded will not alter header
field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII
0xa), and the zero character (NUL, ASCII 0x0) might be exploited by
an attacker if they are translated verbatim. Any request or response
that contains a character not permitted in a header field value MUST
be treated as malformed (Section 8.1.2.6). Valid characters are
defined by the "field-content" ABNF rule in Section 3.2 of [RFC7230].

This was discovered when using a multi-line CSP policy for my readability & ease of editing in an NGINX config. The multi-line CSP would cause FF to fail without notice. Chrome, however, would parse and apply the CSP correctly. Through research, it was found that this was the opposite behavior required per RFC7540 Section 10.3. The FireFox team suggested I submit a report to NGINX with this information.

Original Firefox bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=1411659)
Subsequent Chromium bug report (https://bugs.chromium.org/p/chromium/issues/detail?id=787581)

A testing page can be found with the malformed CSP header at ( https://discinsights.com/csp-test.html ).

Change History (1)

comment:1 by Maxim Dounin, 2 years ago

Resolution: wontfix
Status: newclosed

nginx does not try to restrict what can be returned using the add_header directive. It is a special low-level directive to add abitrary user-defined headers to the response. It is up to the user to use this directive correctly.

Note: See TracTickets for help on using tickets.