近日Netty 4.x版本爆出了CVE-2019-16869漏洞.
详情见这里:http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201909-1264
修复方法为升级至 4.1.42.Final版本即可.
具体的行为如下:
http request smuggling, cause by obfuscating TE header
`Expected behavior
ignore obfuscating TE header("Transfer-Encoding : chunked" vs "Transfer-Encoding: chunked")
Actual behavior
use Transfer-Encoding[space] as Transfer-Encoding
Steps to reproduce
1、topology: client→elb→nettyServer
2、client send a request with both content-length and trunked-encoded[space]
3、elb ignored trunked-encoded[space], but use content-length
4、netty use trunked-encoded[space]
Minimal yet complete reproducer code (or URL to code)
when header field end with space but not colon, shoud the space be ignored?
can not found proof in https://greenbytes.de/tech/webdav/rfc7230.html#header.fields.
code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader
for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
char ch = sb.charAt(nameEnd);
if (ch == ':' || Character.isWhitespace(ch)) {
break;
}
}
Netty version
all
JVM version (e.g. java -version)
OS version (e.g. uname -a)`