net/http: improper sanitization of Transfer-Encoding header #53188
Labels
Milestone
Comments
|
Change https://go.dev/cl/409874 mentions this issue: |
dmitshur
added
the
NeedsFix
|
Change https://go.dev/cl/410714 mentions this issue: |
|
@gopherbot please open backport issues. |
|
Backport issue(s) opened: #53432 (for 1.17), #53433 (for 1.18). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/415217 mentions this issue: |
|
Change https://go.dev/cl/415218 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jul 12, 2022
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For #53188 For CVE-2022-1705 Fixes #53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Jul 12, 2022
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For #53188 For CVE-2022-1705 Fixes #53433 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415218 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Jul 14, 2022
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53433 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415218 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
jproberts
pushed a commit
to jproberts/go
that referenced
this issue
Aug 10, 2022
Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. Fixes golang#53188 Fixes CVE-2022-1705 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
…r-Encoding headers EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
…r-Encoding headers EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 12, 2022
…r-Encoding headers EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@b8c48c1 Upstream Source Commit: golang@d13431c # Original Information Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@b8c48c1 Upstream Source Commit: golang@d13431c # Original Information Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@d51c433 Upstream Source Commit: tailscale@61d05bd # Original Information EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For golang#53188 For CVE-2022-1705 Fixes golang#53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a9) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Nov 8, 2022
Return an error when parsing a MIME header containing bytes in the key or value outside the set allowed by RFC 7230. For historical compatibility, accept spaces in keys (but do not canonicalize the key in this case). For #53188. Change-Id: I195319362a2fc69c4e506644f78c5026db070379 Reviewed-on: https://go-review.googlesource.com/c/go/+/410714 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
net/httpserver improperly strips CRs surrounding theTransfer-Encodingheader value, treating"Transfer-Encoding: \rchunked"as indicating a chunked body.For example, this request is interpreted as containing the body
a.This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.
Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.
The text was updated successfully, but these errors were encountered: