Impact

This vulnerability could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the HTTP::Daemon. This library is commonly used for local development and tests.

Patches

Patches are expected to be delivered soon in the next release.

Workarounds

After calling my $rqst = $conn->get_request() one could inspect the returned HTTP::Request object. Querying the 'Content-Length' (my $cl = $rqst->header('Content-Length')) will show any abnormalities that should be dealt with by a 400 response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is 42 or 42, 42, 42). Anything else MUST be rejected.

From the upcoming patch:

my $content_length = $rqst->header('Content-Length');

# split and clean up Content-Length
my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str }
    split ',', $content_length;
# check that they are all numbers
my @nums = grep { /^[0-9]+$/} @vals;
unless (@vals == @nums) {
    $conn->send_error(400);
    $conn->reason("Content-Length value must be a unsigned integer");
    return;
}
# check they are all the same
my $len = shift @nums;
foreach (@nums) {
    next if $_ == $len;
    $conn->send_error(400);
    $conn->reason("Content-Length values are not the same");
    return;
}
# ensure we have now a fixed header (according to RFC-2730 para 3.3.3)
$rqst->header('Content-Length' => $len);

References

• CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
• RFC-7230 section 9.5 – Security Consideration | Request Smuggling
• HTTP Desync Attacks: Request Smuggling Reborn

For more information

If you have any questions or comments about this advisory:

• Open an issue in GitHub – libwww-perl/HTTP::Daemon