New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[panic]: slice OOB caused by illegal uri #4775
Comments
|
Thanks for the report. In the future, please post the precise input and log output to expedite a fix. In order to add a regression test, can you please share the exact input you had that caused the bug? I can find some too but I need to make sure your case is covered too. What was your config? i.e. what are you rewriting to? Edit: I'm not able to reproduce the bug with an input of |
|
In my case, As for the precise log output, I made some modification on And it crashed like?: |
|
Thanks! I see it now. |
|
Should be fixed in 693e9b5. Feel free to double-check my work! |
|
This issue has been assigned as CVE-2022-34037. |
|
This bug only affected the client of the request, and to my knowledge cannot DoS anyone other than the attacker; i.e. no attack surface is possible here in the server. (Would be a client bug if the client allows user to make invalid/malformed request when expecting something to work.) The CVE is unwarranted IMO. |
|
IMO, this CVE is absurd. It was given a score of 7.5. But it requires a bad config, AND it has no real attack surface. The panic does not take down the server, it just stops the current request which contained bad input, and emits a log. There's no exploit here. Example Caddyfile config of the reported issue: Run Caddy v2.5.1, making a request with If Curl output: This is very clearly just a regular bug, there is no security implications here at all. The CVE should be revised or dismissed. |
|
I've officially disputed the CVE with this letter:
|
It occurs in modules/caddyhttp/rewrite/rewrite.go.
Specifically,this bug locates in
func (rewr Rewrite) rewriteIn this function, it parse the
rewr.URIand attemps to find the bounds of each part of the URI that exist.However, this implementation is too simple to handle unexpected scenarios.
If '#' appears in front of the '?' in
rewr.URI, it makes thatqsStartis larger thanqsEnd,which leads to a crash like 'panic: runtime error: slice bounds out of range' in slice accessing at
query = uri[qsStart:qsEnd]The text was updated successfully, but these errors were encountered: