Add entry points to allow to run examples simply by installing eventlet by 4383 · Pull Request #825 · eventlet/eventlet

4383 · 2023-12-12T11:09:52Z

These entry points allow to run some of the examples described in the documentation directly from the command line.

Eventlet users doesn't have to copy these examples to run them.

All entry points are suffixed with "example" to highlight their nature.

They can help to save time to run tests and checks locally.

These entry points allow to run some of the examples described in the documentation directly from the command line. Eventlet users doesn't have to copy these examples to run them. All entry points are suffixed with "example" to highlight their nature. They can help to save time to run tests and checks locally.

Reject requests when containing headers `content-length` and `transfer-encoding` at the same time. That's not allowed by RFC 9112 and that could lead to potential security attacks. This is an extract of the RFC: > A server MAY reject a request that contains both Content-Length and > Transfer-Encoding or process such a request in accordance with the > Transfer-Encoding alone. Regardless, the server MUST close the > connection after responding to such a request to avoid the potential > attacks. > A server or client that receives an HTTP/1.0 message containing > a Transfer-Encoding header field MUST treat the message as if the > framing is faulty, even if a Content-Length is present, and close the > connection after processing the message. The message sender might have > retained a portion of the message, in buffer, that could be > misinterpreted by further use of the connection. The following request would lead to this scenario: ``` POST / HTTP/1.1 Host: a.com Transfer-Encoding: chunked Content-Length: 0 Content-Type: application/x-"##-form-urlencoded 14 id=1'or sleep(1);### 0 ``` With these changes, when this kind of request is received the connection is closed and an error 400 is returned. This scenario can be tested by using the following process: 1. run a wsgi server either: - by using the wsgi sample in official examples (http://eventlet.net/doc/examples.html#wsgi-server) - or by using my previous patch (eventlet#825) that allow you to run wsgi server from the command line (`$ eventlet_wsgi_example`) 2. send the following HTTP request to the running server: ``` curl -d "param1=value1&param2=value2" -X POST -H 'Transfer-Encoding: chunked' -H 'Content-Length: 0' --http1.1 http://0.0.0.0:8090 -i ``` The previous curl command display returned headers and status code. You can observe that now, with these changes, bad requests are rejected. This security issue was originally discovered by Keran Mu ([email protected]) and Jianjun Chen ([email protected]), from Tsinghua University and Zhongguancun Laboratory Thanks to them for undisclosing this security problem.

Reject requests when containing headers `content-length` and `transfer-encoding` at the same time. That's not allowed by RFC 9112 and that could lead to potential security attacks. This is an extract of the RFC: > A server MAY reject a request that contains both Content-Length and > Transfer-Encoding or process such a request in accordance with the > Transfer-Encoding alone. Regardless, the server MUST close the > connection after responding to such a request to avoid the potential > attacks. > A server or client that receives an HTTP/1.0 message containing > a Transfer-Encoding header field MUST treat the message as if the > framing is faulty, even if a Content-Length is present, and close the > connection after processing the message. The message sender might have > retained a portion of the message, in buffer, that could be > misinterpreted by further use of the connection. The following request would lead to this scenario: ``` POST / HTTP/1.1 Host: a.com Transfer-Encoding: chunked Content-Length: 0 Content-Type: application/x-"##-form-urlencoded 14 id=1'or sleep(1);### 0 ``` With these changes, when this kind of request is received the connection is closed and an error 400 is returned. This scenario can be tested by using the following process: 1. run a wsgi server either: - by using the wsgi sample in official examples (http://eventlet.net/doc/examples.html#wsgi-server) - or by using my previous patch (eventlet#825) that allow you to run wsgi server from the command line (`$ eventlet_wsgi_example`) 2. send the following HTTP request to the running server: ``` curl -d "param1=value1&param2=value2" -X POST -H 'Transfer-Encoding: chunked' -H 'Content-Length: 0' --http1.1 http://0.0.0.0:8090 -i ``` The previous curl command display returned headers and status code. You can observe that now, with these changes, bad requests are rejected. This security issue was originally discovered by Keran Mu ([email protected]) and Jianjun Chen ([email protected]), from Tsinghua University and Zhongguancun Laboratory Thanks to them for raising our attention about this security problem.

Reject requests which contains headers `content-length` and `transfer-encoding` at the same time. That's not allowed by RFC 9112 and that could lead to potential security attacks. This is an extract of the RFC: > A server MAY reject a request that contains both Content-Length and > Transfer-Encoding or process such a request in accordance with the > Transfer-Encoding alone. Regardless, the server MUST close the > connection after responding to such a request to avoid the potential > attacks. > A server or client that receives an HTTP/1.0 message containing > a Transfer-Encoding header field MUST treat the message as if the > framing is faulty, even if a Content-Length is present, and close the > connection after processing the message. The message sender might have > retained a portion of the message, in buffer, that could be > misinterpreted by further use of the connection. The following request would lead to this scenario: ``` POST / HTTP/1.1 Host: a.com Transfer-Encoding: chunked Content-Length: 0 Content-Type: application/x-"##-form-urlencoded 14 id=1'or sleep(1);### 0 ``` With these changes, when this kind of request is received the connection is closed and an error 400 is returned. This scenario can be tested by using the following process: 1. run a wsgi server either: - by using the wsgi sample in official examples (http://eventlet.net/doc/examples.html#wsgi-server) - or by using my previous patch (eventlet#825) that allow you to run wsgi server from the command line (`$ eventlet_wsgi_example`) 2. send the following HTTP request to the running server: ``` curl -d "param1=value1&param2=value2" -X POST -H 'Transfer-Encoding: chunked' -H 'Content-Length: 0' --http1.1 http://0.0.0.0:8090 -i ``` The previous curl command display returned headers and status code. You can observe that now, with these changes, bad requests are rejected. This security issue was originally discovered by Keran Mu ([email protected]) and Jianjun Chen ([email protected]), from Tsinghua University and Zhongguancun Laboratory Thanks to them for raising our attention about this security problem.

Reject requests which contains headers `content-length` and `transfer-encoding` at the same time. That's not allowed by RFC 9112 and that could lead to potential security attacks. https://www.rfc-editor.org/rfc/rfc9112#section-6.1-15 This is an extract of the RFC: > A server MAY reject a request that contains both Content-Length and > Transfer-Encoding or process such a request in accordance with the > Transfer-Encoding alone. Regardless, the server MUST close the > connection after responding to such a request to avoid the potential > attacks. > A server or client that receives an HTTP/1.0 message containing > a Transfer-Encoding header field MUST treat the message as if the > framing is faulty, even if a Content-Length is present, and close the > connection after processing the message. The message sender might have > retained a portion of the message, in buffer, that could be > misinterpreted by further use of the connection. The following request would lead to this scenario: ``` POST / HTTP/1.1 Host: a.com Transfer-Encoding: chunked Content-Length: 0 Content-Type: application/x-"##-form-urlencoded 14 id=1'or sleep(1);### 0 ``` With these changes, when this kind of request is received the connection is closed and an error 400 is returned. This scenario can be tested by using the following process: 1. run a wsgi server either: - by using the wsgi sample in official examples (http://eventlet.net/doc/examples.html#wsgi-server) - or by using my previous patch (eventlet#825) that allow you to run wsgi server from the command line (`$ eventlet_wsgi_example`) 2. send the following HTTP request to the running server: ``` curl -d "param1=value1&param2=value2" -X POST -H 'Transfer-Encoding: chunked' -H 'Content-Length: 0' --http1.1 http://0.0.0.0:8090 -i ``` The previous curl command display returned headers and status code. You can observe that now, with these changes, bad requests are rejected. This security issue was originally discovered by Keran Mu ([email protected]) and Jianjun Chen ([email protected]), from Tsinghua University and Zhongguancun Laboratory Thanks to them for raising our attention about this security problem.

tipabu · 2023-12-13T01:01:08Z

setup.py

+    ],
+    entry_points={
+        'console_scripts': [
+            'eventlet_chat_bridge_example = examples.chat_bridge:__main__',


Wait, installing eventlet also installs an importable examples?? That seems like a bug to me!

Yeah that was more or less the idea, I used it locally to make tests and avoid creating patches based on copy of official examples.

You are right, that's not the best idea that I had, let's abandon it.

It should have remained local hack :)

4383 mentioned this pull request Dec 12, 2023

Fix security issue related to RFC 9112 #826

Merged

tipabu reviewed Dec 13, 2023

View reviewed changes

4383 closed this Dec 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add entry points to allow to run examples simply by installing eventlet#825

Add entry points to allow to run examples simply by installing eventlet#825
4383 wants to merge 1 commit intoeventlet:masterfrom
4383:master

4383 commented Dec 12, 2023

Uh oh!

tipabu Dec 13, 2023

Uh oh!

4383 Dec 13, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

4383 commented Dec 12, 2023

Uh oh!

tipabu Dec 13, 2023

Choose a reason for hiding this comment

Uh oh!

4383 Dec 13, 2023

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants