❓ I'm submitting a ...
🐞 Describe the bug. What is the current behavior?
Cheroot accepts requests with multiple Content-Length headers, prioritizing the second. It is therefore vulnerable to request smuggling when paired with a gateway server that forwards requests with multiple Content-Length headers, prioritizing the first.
❓ What is the motivation / use case for changing the behavior?
This is a vulnerability.
I reported this privately through the official channel on June 8th, 2024, but received no response.
💡 To Reproduce
- Start a cheroot-based web server.
- Send it an otherwise valid request with multiple Content-Length headers.
- Watch it prioritize the second header over the first.
💡 Expected behavior
The request should be rejected with status 400.
📋 Environment
- Cheroot version:
main branch, commit 088647e
- Python version: Python 3.14.0a3+
- OS:
Linux 8a89c2a1a5fb 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux
❓ I'm submitting a ...
🐞 Describe the bug. What is the current behavior?
Cheroot accepts requests with multiple
Content-Lengthheaders, prioritizing the second. It is therefore vulnerable to request smuggling when paired with a gateway server that forwards requests with multipleContent-Lengthheaders, prioritizing the first.❓ What is the motivation / use case for changing the behavior?
This is a vulnerability.
I reported this privately through the official channel on June 8th, 2024, but received no response.
💡 To Reproduce
💡 Expected behavior
The request should be rejected with status 400.
📋 Environment
mainbranch, commit 088647eLinux 8a89c2a1a5fb 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux