x/net/http2: validate received header values #14029

bradfitz · 2016-01-20T05:28:06Z

The Go http2 implementation (client & server) validates header values (the validHeader func) but I missed the very next sentence in the http2 spec before:

https://httpwg.github.io/specs/rfc7540.html#rfc.section.10.3

Similarly, HTTP/2 allows header field values that are not valid. While most of the values that can be encoded will not alter header field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0) might be exploited by an attacker if they are translated verbatim. Any request or response that contains a character not permitted in a header field value MUST be treated as malformed (Section 8.1.2.6). Valid characters are defined by the field-content ABNF rule in Section 3.2 of [RFC7230].

I only thought to go look because I saw a mention of it in the gRPC wire protocol docs:

Note that HTTP2 does not allow arbitrary octet sequences for header values so binary header values must be encoded using Base64

Needs to be fixed in both the client & server, next to existing checks like:

        if !validHeader(f.Name) {
                rl.reqMalformed = errInvalidHeaderKey
                return false
        }

The text was updated successfully, but these errors were encountered:

gopherbot · 2016-01-20T21:00:27Z

CL https://golang.org/cl/18727 mentions this issue.

This validates incoming header field values in Server and Transport to make sure the peer isn't sending us a \x00, CR, NL or other non-VCHAR except space and tab. It does not yet validate that we don't send such things, though. Updates golang/go#14029 Change-Id: I7c6a56d5d0d255f1b8fa64480b34b3b5e1f4f367 Reviewed-on: https://go-review.googlesource.com/18727 Reviewed-by: Andrew Gerrand <adg@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

gopherbot · 2016-01-20T23:00:14Z

CL https://golang.org/cl/18728 mentions this issue.

…ternal Updates x/net/http2 to git rev b2ed34f for https://golang.org/cl/18727 Updates #14029 (fixes it enough for Go 1.6) Fixes #13961 Change-Id: Id301247545507671f4e79df0e7c6ec9c421d5a7c Reviewed-on: https://go-review.googlesource.com/18728 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>

bradfitz self-assigned this Jan 20, 2016

bradfitz added this to the Go1.6 milestone Jan 20, 2016

bradfitz modified the milestones: Go1.7, Go1.6 Jan 21, 2016

bradfitz changed the title ~~x/net/http2: validate header values~~ x/net/http2: validate sent header field names & values Jan 21, 2016

bradfitz changed the title ~~x/net/http2: validate sent header field names & values~~ x/net/http2: validate received header values Jan 21, 2016

bradfitz modified the milestones: Go1.6, Go1.7 Jan 21, 2016

bradfitz closed this Jan 21, 2016

bradfitz mentioned this issue Jan 21, 2016

x/net/http2: validate transmitted header field names & values #14048

Closed

golang locked and limited conversation to collaborators Jan 23, 2017

gopherbot added the FrozenDueToAge label Jan 23, 2017

golang / go

x/net/http2: validate received header values #14029

x/net/http2: validate received header values #14029

bradfitz commented Jan 20, 2016

gopherbot commented Jan 20, 2016

gopherbot commented Jan 20, 2016

golang / go

x/net/http2: validate received header values #14029

x/net/http2: validate received header values #14029

Comments

bradfitz commented Jan 20, 2016

gopherbot commented Jan 20, 2016

gopherbot commented Jan 20, 2016