Summary
The HttpPostRequestDecoder
can be tricked to accumulate data. I have spotted currently two attack vectors
Details
- While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the
bodyListHttpData
list.
- The decoder cumulates bytes in the
undecodedChunk
buffer until it can decode a field, this field can cumulate data without limits
PoC
Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
Impact
Any Netty based HTTP server that uses the HttpPostRequestDecoder
to decode a form.
References
Summary
The
HttpPostRequestDecoder
can be tricked to accumulate data. I have spotted currently two attack vectorsDetails
bodyListHttpData
list.undecodedChunk
buffer until it can decode a field, this field can cumulate data without limitsPoC
Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
Impact
Any Netty based HTTP server that uses the
HttpPostRequestDecoder
to decode a form.References