Recently Netty 4.x version broke vulnerability CVE-2019-16869.
Details are here: http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201909-1264
repair method upgrade to 4.1.42.Final version.
specific behavior is as follows:
HTTP Request Smuggling, the cause is by Obfuscating TE header
`the Expected behavior
the ignore Obfuscating TE header (" Transfer-Encoding: chunked "VS" Transfer-Encoding: chunked ")
Actual behavior
use Transfer-Encoding[space] as Transfer-Encoding
Steps to reproduce
1、topology: client→elb→nettyServer
2、client send a request with both content-length and trunked-encoded[space]
3、elb ignored trunked-encoded[space], but use content-length
4、netty use trunked-encoded[space]
Minimal yet complete reproducer code (or URL to code)
when header field end with space but not colon, shoud the space be ignored?
can not found proof in https://greenbytes.de/tech/webdav/rfc7230.html#header.fields.
code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader
for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
char ch = sb.charAt(nameEnd);
if (ch == ':' || Character.isWhitespace(ch)) {
break;
}
}
Netty version
all
JVM version (e.g. java -version)
OS version (e.g. uname -a)`