Cheroot is vulnerable to request smuggling via multiple Content-Length headersΒ #737
Description
β I'm submitting a ...
- π bug report
- π£ feature request
- β question about the decisions made in the repository
π Describe the bug. What is the current behavior?
Cheroot accepts requests with multiple Content-Length headers, prioritizing the second. It is therefore vulnerable to request smuggling when paired with a gateway server that forwards requests with multiple Content-Length headers, prioritizing the first.
β What is the motivation / use case for changing the behavior?
This is a vulnerability.
I reported this privately through the official channel on June 8th, 2024, but received no response.
π‘ To Reproduce
- Start a cheroot-based web server.
- Send it an otherwise valid request with multiple Content-Length headers.
- Watch it prioritize the second header over the first.
π‘ Expected behavior
The request should be rejected with status 400.
π Environment
- Cheroot version:
mainbranch, commit 088647e - Python version: Python 3.14.0a3+
- OS:
Linux 8a89c2a1a5fb 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux