Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fish 9690 filtering incorrect characters from header rfc 9110 #39

Open
wants to merge 7 commits into
base: 4.0.1.payara-maintenance
Choose a base branch
from
Open

Fish 9690 filtering incorrect characters from header rfc 9110 #39

wants to merge 7 commits into from

Conversation

breakponchito
Copy link

@breakponchito breakponchito commented Nov 12, 2024
edited
Loading

This is a PR to include new properties on the grizzly implementation to enable Header Name and Header Value validation against invalid characters mentioned on the RFC-9110, here the reference of the reported issue: Glassfish issue and here the reserved CVE CVE-2024-45687

To test this set the dependency version on the payara server: 4.0.2.payara-p2 build and run
deploy the following reproducer:
ReproducerJDK11.zip

after starting the server set the following properties on the Payara configuration. You can do it by console ui, command line or directly on the domain.xml file:

  • -Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110=true
  • -Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110=true

image

image

asadmin create-jvm-options --target=server-config "-Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110\=true"

asadmin create-jvm-options --target=server-config "-Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110\=true"

after adding the properties you need to restart the server

by default on the grizzly side those properties are set as false

deploy the reproducer and make curl calls

Header Name Validation tests:

the result of any of those test should be error 400:
image

Header Value Validations tests:

In the case of header validation we can't be very strict on the validation that is why the \n is permitted an is evaluated as a new line on the content for the header value and the \0 is immediately not processed from curl because by default we can't consider that character on the request headers and the \r character can be included as a character on the header values and this will be rejected

@breakponchito breakponchito mentioned this pull request Nov 12, 2024
Open
@carryel @breakponchito
Issue eclipse-ee4j#2212 Enhances validation of HTTP header names
b0ca271 
+ Added the validation of HTTP header values
+ Name and value's validation are provided as options. (Improved based on carryel#1 @breakponchito)
@carryel @breakponchito
Issue eclipse-ee4j#2212 Enhances validation of HTTP header names
b8b282f 
+ trivial) updated license and re-trigger status checks(eclipse-ee4j#2213).
Pandrex247
Pandrex247 requested changes Nov 22, 2024
View reviewed changes
Copy link
Member

@Pandrex247 Pandrex247 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rework to be semantically compatible with a minor version update (no breaking API changes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pandrex247 Pandrex247 Pandrex247 requested changes

@luiseufrasio luiseufrasio Awaiting requested review from luiseufrasio

@aubi aubi Awaiting requested review from aubi

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@breakponchito @Pandrex247 @carryel