Ignore secure_scheme_headers in Trailer section

pajod · pajod · commit fd67112f40f4 · 2023-12-15T13:33:31.000+01:00
In common configuration unlikely a big security problem in itself
you are just fooling the remote about https.
However, it is offers an oracle for otherwise invisible proxy request headers,
so it might help exploiting other vulnerabilities.
diff --git a/gunicorn/http/body.py b/gunicorn/http/body.py
@@ -51,7 +51,7 @@ def parse_trailers(self, unreader, data):
         if done:
             unreader.unread(buf.getvalue()[2:])
             return b""
-        self.req.trailers = self.req.parse_headers(buf.getvalue()[:idx])
+        self.req.trailers = self.req.parse_headers(buf.getvalue()[:idx], from_trailer=True)
         unreader.unread(buf.getvalue()[idx + 4:])
 
     def parse_chunked(self, unreader):
diff --git a/gunicorn/http/message.py b/gunicorn/http/message.py
@@ -66,7 +66,7 @@ def force_close(self):
     def parse(self, unreader):
         raise NotImplementedError()
 
-    def parse_headers(self, data):
+    def parse_headers(self, data, from_trailer=False):
         cfg = self.cfg
         headers = []
 
@@ -76,9 +76,13 @@ def parse_headers(self, data):
         # handle scheme headers
         scheme_header = False
         secure_scheme_headers = {}
-        if ('*' in cfg.forwarded_allow_ips or
-            not isinstance(self.peer_addr, tuple)
-                or self.peer_addr[0] in cfg.forwarded_allow_ips):
+        if from_trailer:
+            # nonsense. either a request is https from the beginning
+            #  .. or we are just behind a proxy who does not remove conflicting trailers
+            pass
+        elif ('*' in cfg.forwarded_allow_ips or
+              not isinstance(self.peer_addr, tuple)
+              or self.peer_addr[0] in cfg.forwarded_allow_ips):
             secure_scheme_headers = cfg.secure_scheme_headers
 
         # Parse headers into key/value pairs paying attention
@@ -294,7 +298,7 @@ def parse(self, unreader):
             self.unreader.unread(data[2:])
             return b""
 
-        self.headers = self.parse_headers(data[:idx])
+        self.headers = self.parse_headers(data[:idx], from_trailer=False)
 
         ret = data[idx + 4:]
         buf = None
