1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
From 29b4c6ab9a917200a37d6fca1243a7f57caba922 Mon Sep 17 00:00:00 2001
From: Tom Most <twm@freecog.net>
Date: Sun, 27 Mar 2022 22:17:30 -0700
Subject: [PATCH] Correct chunk extension byte validation
Go back to the RFC to figure out the correct allowed ranges.
Upstream-Status: Backport [https://github.com/twisted/twisted/commit/fa9caa54d63399b4ccdfbf0429ba1b504ccc7c89]
CVE: CVE-2022-24801
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/twisted/web/http.py | 49 ++++++++++++++++++++++++++++++-
src/twisted/web/test/test_http.py | 8 ++++-
2 files changed, 55 insertions(+), 2 deletions(-)
diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
index ea77f57..81df437 100644
--- a/src/twisted/web/http.py
+++ b/src/twisted/web/http.py
@@ -418,7 +418,7 @@ def _ishexdigits(b: bytes) -> bool:
and 0-9.
"""
for c in b:
- if c not in b'0123456789abcdefABCDEF':
+ if c not in b"0123456789abcdefABCDEF":
return False
return bool(b)
@@ -1816,6 +1816,47 @@ class _IdentityTransferDecoder:
maxChunkSizeLineLength = 1024
+_chunkExtChars = (
+ b"\t !\"#$%&'()*+,-./0123456789:;<=>?@"
+ b"ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`"
+ b"abcdefghijklmnopqrstuvwxyz{|}~"
+ b"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
+ b"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
+ b"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
+ b"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
+ b"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+ b"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
+ b"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
+ b"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
+)
+"""
+Characters that are valid in a chunk extension.
+
+See RFC 7230 section 4.1.1:
+
+ chunk-ext = *( ";" chunk-ext-name [ "=" chunk-ext-val ] )
+
+ chunk-ext-name = token
+ chunk-ext-val = token / quoted-string
+
+Section 3.2.6:
+
+ token = 1*tchar
+
+ tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+ / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+ / DIGIT / ALPHA
+ ; any VCHAR, except delimiters
+
+ quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
+ qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text
+ obs-text = %x80-FF
+
+We don't check if chunk extensions are well-formed beyond validating that they
+don't contain characters outside this range.
+"""
+
+
class _ChunkedTransferDecoder:
"""
Protocol for decoding I{chunked} Transfer-Encoding, as defined by RFC 7230,
@@ -1915,6 +1956,12 @@ class _ChunkedTransferDecoder:
except ValueError:
raise _MalformedChunkedDataError("Chunk-size must be an integer.")
+ ext = self._buffer[endOfLengthIndex + 1 : eolIndex]
+ if ext and ext.translate(None, _chunkExtChars) != b"":
+ raise _MalformedChunkedDataError(
+ f"Invalid characters in chunk extensions: {ext!r}."
+ )
+
if length == 0:
self.state = "TRAILER"
else:
diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
index 201991f..eccb9b0 100644
--- a/src/twisted/web/test/test_http.py
+++ b/src/twisted/web/test/test_http.py
@@ -1379,7 +1379,13 @@ class ChunkedTransferEncodingTests(unittest.TestCase):
This is a potential request smuggling vector: see GHSA-c2jg-hw38-jrqq.
"""
- for b in [*range(0, 0x09), *range(0x10, 0x21), *range(0x74, 0x80)]:
+ invalidControl = (
+ b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\n\x0b\x0c\r\x0e\x0f"
+ b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+ )
+ invalidDelimiter = b"\\"
+ invalidDel = b"\x7f"
+ for b in invalidControl + invalidDelimiter + invalidDel:
data = b"3; " + bytes((b,)) + b"\r\nabc\r\n"
p = http._ChunkedTransferDecoder(
lambda b: None, # pragma: nocov
|
