seanmonstar

Jan 24 2017

hyper security vulnerability: message splitting

hyper’s serializing of headers to the socket did not filter the values for newline bytes (\r or \n), which allowed for header values to split a request or response.

This does not occur from headers that are parsed by hyper, as hyper’s header parser strictly does not include newlines in header values.

People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input.

// submitted may be some POST variable that wasn't sanitized
let submited = "Sean\r\nLocation: /";
let cookie = format!("name={}", submitted);
headers.set(SetCookie(vec![cookie]));
// outputs 2 headers, Set-Cookie and Location

Updates have been released for the 0.9.x and 0.10.x branches (and merged into master). A cargo update should be all that is required to pull in the fix. The released fix replaces all instances of \r and \n with a space (``) when serializing a header value to the socket.

Timeline

  • 2017-01-16: @skylerberg emailed me explaining the vulnerability.
  • 2017-01-20: A fix was prepared, disclosure process determined, and it was decided to wait until after the weekend to release.
  • 2017-01-23: 0.9.16 and 0.10.2 were released with the fix.
  • 2017-01-25: 0.9.17 was published since crates.io had a corrupted entry for 0.9.16.

Thanks to @skylerberg for responsibly reporting this, and @jdm and @brson for helping with a release process.

  • #http
  • #rust-lang
  • #rust
  • #hyper
  • #programming
  • #mozilla
  • #planet