Ignore secure_scheme_headers in Trailer section

In common configuration unlikely a big security problem in itself you are just fooling the remote about https. However, it is offers an oracle for otherwise invisible proxy request headers, so it might help exploiting other vulnerabilities.
2026-01-14 11:09:11 +08:00 · 2023-12-07 09:31:00 +01:00 · 2023-12-07 09:31:00 +01:00 · fd67112f40
commit fd67112f40
parent ac29c9b0a7
2 changed files with 10 additions and 6 deletions
--- a/gunicorn/http/body.py
+++ b/gunicorn/http/body.py
@ -51,7 +51,7 @@ class ChunkedReader(object):
        if done:
            unreader.unread(buf.getvalue()[2:])
            return b""
-        self.req.trailers = self.req.parse_headers(buf.getvalue()[:idx])
+        self.req.trailers = self.req.parse_headers(buf.getvalue()[:idx], from_trailer=True)
        unreader.unread(buf.getvalue()[idx + 4:])

    def parse_chunked(self, unreader):
--- a/gunicorn/http/message.py
+++ b/gunicorn/http/message.py
@ -66,7 +66,7 @@ class Message(object):
    def parse(self, unreader):
        raise NotImplementedError()

-    def parse_headers(self, data):
+    def parse_headers(self, data, from_trailer=False):
        cfg = self.cfg
        headers = []

@ -76,9 +76,13 @@ class Message(object):
        # handle scheme headers
        scheme_header = False
        secure_scheme_headers = {}
-        if ('*' in cfg.forwarded_allow_ips or
-            not isinstance(self.peer_addr, tuple)
-                or self.peer_addr[0] in cfg.forwarded_allow_ips):
+        if from_trailer:
+            # nonsense. either a request is https from the beginning
+            #  .. or we are just behind a proxy who does not remove conflicting trailers
+            pass
+        elif ('*' in cfg.forwarded_allow_ips or
+              not isinstance(self.peer_addr, tuple)
+              or self.peer_addr[0] in cfg.forwarded_allow_ips):
            secure_scheme_headers = cfg.secure_scheme_headers

        # Parse headers into key/value pairs paying attention
@ -294,7 +298,7 @@ class Request(Message):
            self.unreader.unread(data[2:])
            return b""

-        self.headers = self.parse_headers(data[:idx])
+        self.headers = self.parse_headers(data[:idx], from_trailer=False)

        ret = data[idx + 4:]
        buf = None