Geek Answers Handbook

Is UnsafeHeaderParsing allowed by default?

This is a somewhat subjective question, but I would like to hear the pros and cons for this. I run an open source project called Fast and Dirty Feed , and the goal of the project is to make it as seamless as possible for using RSS and Atom in .NET.

One of the problems that I encountered quite early in the development of the project was that some of the channels that I used as test cases (namely Hacker News RSS ) used incorrectly formatted HTTP headers, and the HttpWebRequest class in .NET 1.1 and quickly throws an “unsafe header” exception whenever you receive one of these headers in a GET request.

This change was added to stop split-response attacks that raised security issues when .NET 1.1 was released .

So my problem is that I can enable the "useUnsafeHeader" configuration option programmatically, but it does this through ALL of the HttpWebRequests in this application context. I have users who complain that QD Feed Parser is unable to consume valid feeds, and therefore there is a problem with the header.

Now I have my library set up in such a way that the developers who use it must include an insecure header that is self-explanatory, although most of them do not know that this is a problem, and this creates overhead for me for support.

I can simply use the "Quick and dirty feed" to prevent unsafe header parsing by default and force vulnerable security users to disable it, but I do not want to open users who are also unaware of security attacks. What is the best option here?

+7
source share
1 answer

“Unsafe” here is a bit extreme; I would call this setting differently. The problem occurs when the ill-fated servers issue headers that do not exactly match HTTP RFC. For example, the RFC says that CR characters must be followed by an LF character, so if there is no LF, you will get execution if you do not allow “unsafe” headers.

In practice, many HTTP clients ignore these minor violations in order to talk to as many servers as possible. Therefore, your browser or RSS reader never complains about “insecure” headlines. Even if the headers are fictitious, .NET client libraries are reliable enough so that, for example, you do not break your server if the attacker did not allow the line feed. :-) Thus, there is no big security problem here, unless (for example) you Don't do anything stupid with HTTP header names, for example, emit them directly in your HTML (which may allow an attacker to inject an XSS attack into your HTML code).

So, as long as you process the HTTP headers as if they were as unreliable as any other data presented by the user in your application (e.g. query strings, POST data, etc.), then you should be in order, "insecure" headers in your application.

+6
source

More articles:


All Articles