From 29b4c6ab9a917200a37d6fca1243a7f57caba922 Mon Sep 17 00:00:00 2001 From: Tom Most Date: Sun, 27 Mar 2022 22:17:30 -0700 Subject: [PATCH] Correct chunk extension byte validation Go back to the RFC to figure out the correct allowed ranges. Upstream-Status: Backport [https://github.com/twisted/twisted/commit/fa9caa54d63399b4ccdfbf0429ba1b504ccc7c89] CVE: CVE-2022-24801 Signed-off-by: Gyorgy Sarvari --- src/twisted/web/http.py | 49 ++++++++++++++++++++++++++++++- src/twisted/web/test/test_http.py | 8 ++++- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py index ea77f57..81df437 100644 --- a/src/twisted/web/http.py +++ b/src/twisted/web/http.py @@ -418,7 +418,7 @@ def _ishexdigits(b: bytes) -> bool: and 0-9. """ for c in b: - if c not in b'0123456789abcdefABCDEF': + if c not in b"0123456789abcdefABCDEF": return False return bool(b) @@ -1816,6 +1816,47 @@ class _IdentityTransferDecoder: maxChunkSizeLineLength = 1024 +_chunkExtChars = ( + b"\t !\"#$%&'()*+,-./0123456789:;<=>?@" + b"ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`" + b"abcdefghijklmnopqrstuvwxyz{|}~" + b"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" + b"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" + b"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf" + b"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" + b"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf" + b"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" + b"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" + b"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" +) +""" +Characters that are valid in a chunk extension. + +See RFC 7230 section 4.1.1: + + chunk-ext = *( ";" chunk-ext-name [ "=" chunk-ext-val ] ) + + chunk-ext-name = token + chunk-ext-val = token / quoted-string + +Section 3.2.6: + + token = 1*tchar + + tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" + / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" + / DIGIT / ALPHA + ; any VCHAR, except delimiters + + quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE + qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text + obs-text = %x80-FF + +We don't check if chunk extensions are well-formed beyond validating that they +don't contain characters outside this range. +""" + + class _ChunkedTransferDecoder: """ Protocol for decoding I{chunked} Transfer-Encoding, as defined by RFC 7230, @@ -1915,6 +1956,12 @@ class _ChunkedTransferDecoder: except ValueError: raise _MalformedChunkedDataError("Chunk-size must be an integer.") + ext = self._buffer[endOfLengthIndex + 1 : eolIndex] + if ext and ext.translate(None, _chunkExtChars) != b"": + raise _MalformedChunkedDataError( + f"Invalid characters in chunk extensions: {ext!r}." + ) + if length == 0: self.state = "TRAILER" else: diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py index 201991f..eccb9b0 100644 --- a/src/twisted/web/test/test_http.py +++ b/src/twisted/web/test/test_http.py @@ -1379,7 +1379,13 @@ class ChunkedTransferEncodingTests(unittest.TestCase): This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq. """ - for b in [*range(0, 0x09), *range(0x10, 0x21), *range(0x74, 0x80)]: + invalidControl = ( + b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\n\x0b\x0c\r\x0e\x0f" + b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + ) + invalidDelimiter = b"\\" + invalidDel = b"\x7f" + for b in invalidControl + invalidDelimiter + invalidDel: data = b"3; " + bytes((b,)) + b"\r\nabc\r\n" p = http._ChunkedTransferDecoder( lambda b: None, # pragma: nocov