近日 Netty 4.x 版本爆出了 CVE-2019-16869 漏洞.
详情见这里:
修复方法为升级至 4.1.42.Final 版本即可.
具体的行为如下:
- http request smuggling, cause by obfuscating TE header
- `Expected behavior
- ignore obfuscating TE header("Transfer-Encoding : chunked" vs "Transfer-Encoding: chunked")
- Actual behavior
- use Transfer-Encoding[space] as Transfer-Encoding
- Steps to reproduce
1,topology: client→elb→nettyServer
- 2,client send a request with both content-length and trunked-encoded[space]
- 3,elb ignored trunked-encoded[space], but use content-length
- 4,netty use trunked-encoded[space]
- Minimal yet complete reproducer code (or URL to code)
- when header field end with space but not colon, shoud the space be ignored?
can not found proof in .
- code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader
- for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
- char ch = sb.charAt(nameEnd);
- if (ch == ':' || Character.isWhitespace(ch)) {
- break;
- }
- }
- Netty version
- all
- JVM version (e.g. java -version)
- OS version (e.g. uname -a)`
来源: http://www.bubuko.com/infodetail-3241074.html