Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: improper sanitization of Transfer-Encoding header #53188

Closed
neild opened this issue Jun 1, 2022 · 6 comments
Closed

net/http: improper sanitization of Transfer-Encoding header #53188

neild opened this issue Jun 1, 2022 · 6 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.19

Comments

@neild
Copy link
Contributor

neild commented Jun 1, 2022

The net/http server improperly strips CRs surrounding the Transfer-Encoding header value, treating "Transfer-Encoding: \rchunked" as indicating a chunked body.

For example, this request is interpreted as containing the body a.

echo -ne "POST /post HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: \rchunked\r\n\r\n1\r\na\r\n0\r\n\r\n" | nc localhost 8080

This is a weak vector for request smuggling: CRs are not permitted in headers aside from in the CRLF line terminators, so this request is invalid. We should still fix this as a general hardening measure.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for reporting this issue.
@gopherbot
Copy link

gopherbot commented Jun 1, 2022

Change https://go.dev/cl/409874 mentions this issue: net/http: don't strip whitespace from Transfer-Encoding headers

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 3, 2022
@dmitshur dmitshur added this to the Go1.19 milestone Jun 3, 2022
@gopherbot
Copy link

gopherbot commented Jun 6, 2022

Change https://go.dev/cl/410714 mentions this issue: net/textproto: reject invalid header keys/values in ReadMIMEHeader

@neild
Copy link
Contributor Author

neild commented Jun 17, 2022

@gopherbot please open backport issues.

@gopherbot gopherbot mentioned this issue Jun 17, 2022
Closed
@gopherbot
Copy link

gopherbot commented Jun 17, 2022

Backport issue(s) opened: #53432 (for 1.17), #53433 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Jun 17, 2022
Closed
@gopherbot
Copy link

gopherbot commented Jun 29, 2022

Change https://go.dev/cl/415217 mentions this issue: [release-branch.go1.17] net/http: don't strip whitespace from Transfer-Encoding headers

@gopherbot
Copy link

gopherbot commented Jun 29, 2022

Change https://go.dev/cl/415218 mentions this issue: [release-branch.go1.18] net/http: don't strip whitespace from Transfer-Encoding headers

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@neild @mknyszek
[release-branch.go1.17] net/http: don't strip whitespace from Transfe…
d13431c 
…r-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For #53188
For CVE-2022-1705
Fixes #53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Jul 12, 2022
@neild @mknyszek
[release-branch.go1.18] net/http: don't strip whitespace from Transfe…
222ee24 
…r-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For #53188
For CVE-2022-1705
Fixes #53433

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415218
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
@neild @bradfitz
[release-branch.go1.18] net/http: don't strip whitespace from Transfe…
61d05bd 
…r-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53433

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415218
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@tatianab tatianab mentioned this issue Jul 14, 2022
Closed
jproberts pushed a commit to jproberts/go that referenced this issue Aug 10, 2022
@neild @jproberts
net/http: don't strip whitespace from Transfer-Encoding headers
2ded4a8 
Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

Fixes golang#53188
Fixes CVE-2022-1705

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@neild @danbudris
[release-branch.go1.17] net/http: don't strip whitespace from Transfe…
d51c433 
…r-Encoding headers

EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@neild @danbudris
[release-branch.go1.17] net/http: don't strip whitespace from Transfe…
36ad18d 
…r-Encoding headers

EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 12, 2022
@neild @danbudris
[release-branch.go1.17] net/http: don't strip whitespace from Transfe…
6ede48b 
…r-Encoding headers

EKS: retain original use of strings.ToLower present in 1.16. See: golang@5c48951

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
@neild @danbudris
[release-branch.go1.17] net/http: don't strip whitespace from Transfe…
b8c48c1 
…r-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
@neild
net/http: don't strip whitespace from Transfer-Encoding headers
c3c7086 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@b8c48c1
Upstream Source Commit: golang@d13431c

# Original Information

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
Release Status & Blockers (1.20)
Status: Done
Milestone
Go1.19
Development

No branches or pull requests
4 participants
@neild @dmitshur @tatianab @gopherbot