Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/net/http2: validate received header values #14029

Closed
bradfitz opened this issue Jan 20, 2016 · 2 comments
Closed

x/net/http2: validate received header values #14029

bradfitz opened this issue Jan 20, 2016 · 2 comments
Assignees
Milestone

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Jan 20, 2016

The Go http2 implementation (client & server) validates header values (the validHeader func) but I missed the very next sentence in the http2 spec before:

https://httpwg.github.io/specs/rfc7540.html#rfc.section.10.3

Similarly, HTTP/2 allows header field values that are not valid. While most of the values that can be encoded will not alter header field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0) might be exploited by an attacker if they are translated verbatim. Any request or response that contains a character not permitted in a header field value MUST be treated as malformed (Section 8.1.2.6). Valid characters are defined by the field-content ABNF rule in Section 3.2 of [RFC7230].

I only thought to go look because I saw a mention of it in the gRPC wire protocol docs:

Note that HTTP2 does not allow arbitrary octet sequences for header values so binary header values must be encoded using Base64

Needs to be fixed in both the client & server, next to existing checks like:

        if !validHeader(f.Name) {
                rl.reqMalformed = errInvalidHeaderKey
                return false
        }
@bradfitz bradfitz self-assigned this Jan 20, 2016
@bradfitz bradfitz added this to the Go1.6 milestone Jan 20, 2016
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 20, 2016

CL https://golang.org/cl/18727 mentions this issue.

gopherbot pushed a commit to golang/net that referenced this issue Jan 20, 2016
This validates incoming header field values in Server and Transport to
make sure the peer isn't sending us a \x00, CR, NL or other non-VCHAR
except space and tab.

It does not yet validate that we don't send such things, though.

Updates golang/go#14029

Change-Id: I7c6a56d5d0d255f1b8fa64480b34b3b5e1f4f367
Reviewed-on: https://go-review.googlesource.com/18727
Reviewed-by: Andrew Gerrand <adg@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 20, 2016

CL https://golang.org/cl/18728 mentions this issue.

gopherbot pushed a commit that referenced this issue Jan 21, 2016
…ternal

Updates x/net/http2 to git rev b2ed34f for https://golang.org/cl/18727

Updates #14029 (fixes it enough for Go 1.6)
Fixes #13961

Change-Id: Id301247545507671f4e79df0e7c6ec9c421d5a7c
Reviewed-on: https://go-review.googlesource.com/18728
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
@bradfitz bradfitz modified the milestones: Go1.7, Go1.6 Jan 21, 2016
@bradfitz bradfitz changed the title x/net/http2: validate header values x/net/http2: validate sent header field names & values Jan 21, 2016
@bradfitz bradfitz changed the title x/net/http2: validate sent header field names & values x/net/http2: validate received header values Jan 21, 2016
@bradfitz bradfitz modified the milestones: Go1.6, Go1.7 Jan 21, 2016
@bradfitz bradfitz closed this Jan 21, 2016
@golang golang locked and limited conversation to collaborators Jan 23, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.