net/http: improper sanitization of Transfer-Encoding header

[neild]

The net/http server improperly strips CRs surrounding the Transfer-Encoding header value, treating "Transfer-Encoding: \rchunked" as indicating a chunked body.

For example, this request is interpreted as containing the body a.

echo -ne "POST /post HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: \rchunked\r\n\r\n1\r\na\r\n0\r\n\r\n" | nc localhost 8080

This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.

[gopherbot]

Change https://go.dev/cl/409874 mentions this issue: net/http: don't strip whitespace from Transfer-Encoding headers

[gopherbot]

Change https://go.dev/cl/410714 mentions this issue: net/textproto: reject invalid header keys/values in ReadMIMEHeader

[neild]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #53432 (for 1.17), #53433 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/415217 mentions this issue: [release-branch.go1.17] net/http: don't strip whitespace from Transfer-Encoding headers

[gopherbot]

Change https://go.dev/cl/415218 mentions this issue: [release-branch.go1.18] net/http: don't strip whitespace from Transfer-Encoding headers