-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: improper sanitization of Transfer-Encoding header #53188
Comments
Change https://go.dev/cl/409874 mentions this issue: |
Change https://go.dev/cl/410714 mentions this issue: |
@gopherbot please open backport issues. |
Backport issue(s) opened: #53432 (for 1.17), #53433 (for 1.18). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/415217 mentions this issue: |
Change https://go.dev/cl/415218 mentions this issue: |
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For #53188 For CVE-2022-1705 Fixes #53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For #53188 For CVE-2022-1705 Fixes #53433 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415218 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53433 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415218 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. Fixes golang#53188 Fixes CVE-2022-1705 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
…r-Encoding headers EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…r-Encoding headers EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…r-Encoding headers EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@b8c48c1 Upstream Source Commit: golang@d13431c # Original Information Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@b8c48c1 Upstream Source Commit: golang@d13431c # Original Information Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@d51c433 Upstream Source Commit: tailscale@61d05bd # Original Information EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Return an error when parsing a MIME header containing bytes in the key or value outside the set allowed by RFC 7230. For historical compatibility, accept spaces in keys (but do not canonicalize the key in this case). For #53188. Change-Id: I195319362a2fc69c4e506644f78c5026db070379 Reviewed-on: https://go-review.googlesource.com/c/go/+/410714 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com>
Change https://go.dev/cl/504416 mentions this issue: |
Change https://go.dev/cl/504881 mentions this issue: |
We parse mail messages using net/textproto. For #53188, we tightened up the bytes permitted by net/textproto to match RFC 7230. However, this package uses RFC 5322 which is more permissive. Restore the permisiveness we used to have, so that older code continues to work. Fixes #58862 Fixes #60332 Change-Id: I5437f5e18a756f6ca61c13c4d8ba727be73eff9a Reviewed-on: https://go-review.googlesource.com/c/go/+/504416 Run-TryBot: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com>
We parse mail messages using net/textproto. For #53188, we tightened up the bytes permitted by net/textproto to match RFC 7230. However, this package uses RFC 5322 which is more permissive. Restore the permisiveness we used to have, so that older code continues to work. For #58862 For #60332 Fixes #60874 Fixes #60875 Change-Id: I5437f5e18a756f6ca61c13c4d8ba727be73eff9a Reviewed-on: https://go-review.googlesource.com/c/go/+/504881 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com>
We parse mail messages using net/textproto. For golang#53188, we tightened up the bytes permitted by net/textproto to match RFC 7230. However, this package uses RFC 5322 which is more permissive. Restore the permisiveness we used to have, so that older code continues to work. Fixes golang#58862 Fixes golang#60332 Change-Id: I5437f5e18a756f6ca61c13c4d8ba727be73eff9a Reviewed-on: https://go-review.googlesource.com/c/go/+/504416 Run-TryBot: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com>
The
net/http
server improperly strips CRs surrounding theTransfer-Encoding
header value, treating"Transfer-Encoding: \rchunked"
as indicating a chunked body.For example, this request is interpreted as containing the body
a
.This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.
Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.
The text was updated successfully, but these errors were encountered: