You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Only SP and HTAB are permitted as optional whitespace around a field-line value.
HTTP::Daemon's header-value parse at lib/HTTP/Daemon.pm:166 strips \s* after the colon — which in Perl includes TAB, form feed (\x0c), and vertical tab (\x0b). So Transfer-Encoding: \x0cchunked normalizes to chunked and triggers chunked decoding at lib/HTTP/Daemon.pm:212:
if ($tr_enc && lc($tr_enc) eq'chunked') {
Per RFC 9112 §6.1, Transfer-Encoding = #transfer-coding — a comma-separated list of bare tokens with no internal whitespace. RFC 9112 §6.1 further states:
A server that receives a request message with a transfer coding it does not understand SHOULD respond with 501 (Not Implemented).
Security relevance
This is the canonical TE.CL smuggling vector documented in PortSwigger's HTTP Desync Attacks: Request Smuggling Reborn. A frontend that treats Transfer-Encoding: \x0cchunked as unrecognized (and falls back to Content-Length framing) while HTTP::Daemon decodes it as chunked produces a desync — attacker bytes beyond the chunked body are read by the frontend as the start of the next pipelined request.
Validate the parsed Transfer-Encoding value against the RFC 9112 §6.1 grammar before matching chunked at Daemon.pm:212 — i.e. parse it as a comma-separated list of transfer-coding tokens and check exact match (case-insensitive) on each, rather than lc($tr_enc) eq 'chunked' on the raw value.
Split out from #56 / CVE-2022-31081 (POC #7).
Per RFC 9110 §5.6.3:
Only SP and HTAB are permitted as optional whitespace around a field-line value.
HTTP::Daemon's header-value parse atlib/HTTP/Daemon.pm:166strips\s*after the colon — which in Perl includes TAB, form feed (\x0c), and vertical tab (\x0b). SoTransfer-Encoding: \x0cchunkednormalizes tochunkedand triggers chunked decoding atlib/HTTP/Daemon.pm:212:Per RFC 9112 §6.1,
Transfer-Encoding = #transfer-coding— a comma-separated list of bare tokens with no internal whitespace. RFC 9112 §6.1 further states:Security relevance
This is the canonical TE.CL smuggling vector documented in PortSwigger's HTTP Desync Attacks: Request Smuggling Reborn. A frontend that treats
Transfer-Encoding: \x0cchunkedas unrecognized (and falls back to Content-Length framing) while HTTP::Daemon decodes it as chunked produces a desync — attacker bytes beyond the chunked body are read by the frontend as the start of the next pipelined request.Proposed fix
[ \t]*rather than\s*(overlaps with Header parser accepts whitespace before colon, violating RFC 9112 §5.1 #84).Transfer-Encodingvalue against the RFC 9112 §6.1 grammar before matchingchunkedatDaemon.pm:212— i.e. parse it as a comma-separated list oftransfer-codingtokens and check exact match (case-insensitive) on each, rather thanlc($tr_enc) eq 'chunked'on the raw value.