Improper handling of empty list elements in `Transfer-Encoding` header values
kenballus opened this issue · comments
Gunicorn doesn't properly handle Transfer-Encoding header
values with empty list elements. Transfer-Encoding
is a list-valued header, and RFC 9110 says this about list-valued header parsing:
A recipient MUST parse and ignore a reasonable number of empty list elements: enough to handle common mistakes by senders that merge values, but not so much that they could be used as a denial-of-service mechanism.
Thus, Transfer-Encoding: ,chunked
should be equivalent to Transfer-Encoding: chunked
. Gunicorn does not make this distinction, and is thus vulnerable to request smuggling when deployed behind gateway servers that do (and also don't normalize out the comma). There are a few widely-deployed load balancers that exhibit this behavior.