cohttp-eio(client/server): Mitigate Against Attacks via Protocol Element Length #927

bikallem · 2022-08-26T11:51:36Z

cohttp-eio client/server should attempt to mitigate against some of the issues highlighted in the RFC advisory https://www.rfc-editor.org/rfc/rfc7230#section-9.3.

9.3. Attacks via Protocol Element Length

Because HTTP uses mostly textual, character-delimited fields, parsers
are often vulnerable to attacks based on sending very long (or very
slow) streams of data, particularly where an implementation is
expecting a protocol element with no predefined length.

This should be considered for both eio client and server.

This is a meta/parent issue to track specific action items below:

Body length (cohttp-eio: Allow maximum content-length header to be configurable in client and server #928)
resource path length

References:

The text was updated successfully, but these errors were encountered:

bikallem mentioned this issue Aug 26, 2022

cohttp-eio Client module #879

Merged

4 tasks

bikallem changed the title ~~cohttp-eio(clien/server): valid Content-Length~~ cohttp-eio(client/server): Mitigate against Attacks via Protocol Element Length Aug 28, 2022

bikallem changed the title ~~cohttp-eio(client/server): Mitigate against Attacks via Protocol Element Length~~ cohttp-eio(client/server): Mitigate Against Attacks via Protocol Element Length Aug 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cohttp-eio(client/server): Mitigate Against Attacks via Protocol Element Length #927

cohttp-eio(client/server): Mitigate Against Attacks via Protocol Element Length #927

bikallem commented Aug 26, 2022 •

edited

cohttp-eio(client/server): Mitigate Against Attacks via Protocol Element Length #927

cohttp-eio(client/server): Mitigate Against Attacks via Protocol Element Length #927

Comments

bikallem commented Aug 26, 2022 • edited

bikallem commented Aug 26, 2022 •

edited