修复解决 CVE-2023-26148 #443

Huangxiaodui · 2023-10-11T15:06:21Z

#442
尝试通过修改HttpMessage.cpp中的业务逻辑，将Header中的\r\n转义成\r\n，即可解决漏洞中描述的问题。

ithewei · 2023-10-16T14:27:07Z

http/HttpMessage.cpp

@@ -489,7 +489,22 @@ void HttpMessage::DumpHeaders(std::string& str) {
            // %s: %s\r\n
            str += header.first;
            str += ": ";
-            str += header.second;


这样改更简单：

str += hv::replaceAll(header.second, "\r\n", "\\r\\n");

感谢检视。
经过验证，如果命令中存在单个\r或者单个\n，也可能存在相同的问题。如果使用replaceall，需要写成如下部分：

std::string tmp_str = hv::replaceAll(header.second, "\r", "\\r"); str += tmp_str (header.second, "\n", "\\n");

感觉这样的写法应该会比较浪费性能。同时此类场景应该是比较少了，所以原有的写法中，提前判断是否存在\r\n，可以减少正常场景下的性能损失。

risicle · 2023-12-02T16:28:24Z

(Hoping this traverses the language barrier..)

Are you aware of the existence of CVE-2023-26147 too?

https://nvd.nist.gov/vuln/detail/CVE-2023-26147
https://gist.github.com/dellalibera/2be265b56b7b3b00de1a777b9dec0c7b

It looks like the same thing, but in response headers. Are you confident that this addresses addresses that issue too?

Huangxiaodui changed the title ~~尝试修复解决 CVE-2023-26148~~ 修复解决 CVE-2023-26148 Oct 11, 2023

ithewei reviewed Oct 16, 2023

View reviewed changes

Fix CVE-2023-26148

44f6ede

ithewei merged commit f2b969f into ithewei:master Oct 17, 2023
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

修复解决 CVE-2023-26148 #443

修复解决 CVE-2023-26148 #443

Huangxiaodui commented Oct 11, 2023

ithewei Oct 16, 2023

Huangxiaodui Oct 17, 2023

risicle commented Dec 2, 2023

修复解决 CVE-2023-26148 #443

修复解决 CVE-2023-26148 #443

Conversation

Huangxiaodui commented Oct 11, 2023

ithewei Oct 16, 2023

Choose a reason for hiding this comment

Huangxiaodui Oct 17, 2023

Choose a reason for hiding this comment

risicle commented Dec 2, 2023