Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: improper sanitization of Transfer-Encoding header #53188

Open
neild opened this issue Jun 1, 2022 · 4 comments
Open

net/http: improper sanitization of Transfer-Encoding header #53188

neild opened this issue Jun 1, 2022 · 4 comments
Labels
NeedsFix
Milestone

Comments

@neild
Copy link
Contributor

@neild neild commented Jun 1, 2022

The net/http server improperly strips CRs surrounding the Transfer-Encoding header value, treating "Transfer-Encoding: \rchunked" as indicating a chunked body.

For example, this request is interpreted as containing the body a.

echo -ne "POST /post HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: \rchunked\r\n\r\n1\r\na\r\n0\r\n\r\n" | nc localhost 8080

This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 1, 2022

Change https://go.dev/cl/409874 mentions this issue: net/http: don't strip whitespace from Transfer-Encoding headers

@dmitshur dmitshur added the NeedsFix label Jun 3, 2022
@dmitshur dmitshur added this to the Go1.19 milestone Jun 3, 2022
@gopherbot
Copy link

@gopherbot gopherbot commented Jun 6, 2022

Change https://go.dev/cl/410714 mentions this issue: net/textproto: reject invalid header keys/values in ReadMIMEHeader

@neild
Copy link
Contributor Author

@neild neild commented Jun 17, 2022

@gopherbot please open backport issues.

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 17, 2022

Backport issue(s) opened: #53432 (for 1.17), #53433 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix
Projects
Status: No status
Development

No branches or pull requests

3 participants