Opened 7 years ago
Closed 6 years ago
#1435 closed defect (wontfix)
NGINX allows sending of a malformed header per RFC7540 Section 10.3
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.13.x |
Keywords: | Cc: | ||
uname -a: | Linux web02 4.9.50-x86_64-linode86 #1 SMP Thu Sep 14 19:28:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.13.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --with-openssl=/root/openssl-1.1.0f/ --add-module=/root/ngx_pagespeed-1.12.34.3-stable --prefix=/opt/nginx --with-http_ssl_module --with-http_slice_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --with-http_sub_module --with-http_stub_status_module --with-http_flv_module --with-http_xslt_module --with-http_image_filter_module --with-mail --with-mail_ssl_module --with-http_mp4_module --with-http_v2_module |
Description
NGINX allows a header to be sent containing CRLF. At the moment Firefox crashes out when receiving them, and Chrome allows, and parses, the malformed header. There is currently a bug submitted to Chrome to fix this behavior.
This centers around the following:
While most of the values that can be encoded will not alter header
field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII
0xa), and the zero character (NUL, ASCII 0x0) might be exploited by
an attacker if they are translated verbatim. Any request or response
that contains a character not permitted in a header field value MUST
be treated as malformed (Section 8.1.2.6). Valid characters are
defined by the "field-content" ABNF rule in Section 3.2 of [RFC7230].
This was discovered when using a multi-line CSP policy for my readability & ease of editing in an NGINX config. The multi-line CSP would cause FF to fail without notice. Chrome, however, would parse and apply the CSP correctly. Through research, it was found that this was the opposite behavior required per RFC7540 Section 10.3. The FireFox team suggested I submit a report to NGINX with this information.
Original Firefox bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=1411659)
Subsequent Chromium bug report (https://bugs.chromium.org/p/chromium/issues/detail?id=787581)
A testing page can be found with the malformed CSP header at ( https://discinsights.com/csp-test.html ).
nginx does not try to restrict what can be returned using the
add_header
directive. It is a special low-level directive to add abitrary user-defined headers to the response. It is up to the user to use this directive correctly.