Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http, net/http/cgi: fix HTTP_PROXY security issue #16405

Closed
bradfitz opened this issue Jul 18, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@bradfitz
Copy link
Member

commented Jul 18, 2016

Because,

  • The CGI spec defines that incoming request header "Foo: Bar" maps to environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)
  • The HTTP_PROXY environment variable is conventionally used to configure the HTTP proxy for HTTP clients (and is respected by default for Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child process under a CGI host) are vulnerable to an incoming request containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

@bradfitz bradfitz added the Security label Jul 18, 2016

@broady broady modified the milestones: Go1.6.3, Go1.7 Jul 18, 2016

@bradfitz bradfitz changed the title security: placeholder net/http, net/http/cgi: fix HTTP_PROXY security issue Jul 18, 2016

@bradfitz

This comment has been minimized.

Copy link
Member Author

commented Jul 18, 2016

The fix is at https://golang.org/cl/25010, which addressed both sides:

  • the http.Transport will no longer respect the HTTP_PROXY environment variable if it appears that we're running in a CGI environment. This is similar to this fix from @gisle in 2001: http://www.nntp.perl.org/group/perl.libwww/2001/03/msg2249.html Props to @RandalSchwartz and @gisle for beating us all to the fix by 15 years and not giving it a marketing website?
  • the CGI Host implementation will stop setting HTTP_PROXY to protect others. There's now no way to get at the "Proxy" request header if anybody was depending on it. Oh well?

Sadly, in a past life I wrote and maintained http://search.cpan.org/~bradfitz/LWPx-ParanoidAgent/lib/LWPx/ParanoidAgent.pm to protect against attacks like this bug, but never considered this case :(

gopherbot pushed a commit that referenced this issue Jul 18, 2016

[release-branch.go1.6] net/http, net/http/cgi: fix for CGI + HTTP_PRO…
…XY security issue

Because,

* The CGI spec defines that incoming request header "Foo: Bar" maps to
  environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)

* The HTTP_PROXY environment variable is conventionally used to configure
  the HTTP proxy for HTTP clients (and is respected by default for
  Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

Fixes #16405

Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-on: https://go-review.googlesource.com/25012

@gopherbot gopherbot closed this in b97df54 Jul 18, 2016

gopherbot pushed a commit that referenced this issue Jul 18, 2016

[release-branch.go1.7] net/http, net/http/cgi: fix for CGI + HTTP_PRO…
…XY security issue

Because,

* The CGI spec defines that incoming request header "Foo: Bar" maps to
  environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)

* The HTTP_PROXY environment variable is conventionally used to configure
  the HTTP proxy for HTTP clients (and is respected by default for
  Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

Fixes #16405

Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-on: https://go-review.googlesource.com/25013

@golang golang locked and limited conversation to collaborators Jul 18, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.