Original Post: BUG/CRITICAL: http: properly reject empty http header field names · haproxy/haproxy@a8598a2
This vulnerability was analyzed during Episode 189 on 20 February 2023
A vulnerability in haproxy’s HTTP header parsing due to accepting empty header field names. The HPACK and QPACK decoders use a null field name to terminate the end of a list of headers. By intentionally passing a null field name, you can potentially get headers dropped from making their way to the backend, including host, upgrade, content length, transfer encoding, or other sensitive headers. HTTP2 and HTTP3 are mitigated due to the lack of using things like content length or transfer encoding, and effectively it’s as if the client just never sent those headers. On HTTP1 though, this could be leveraged to trigger a smuggling scenario.