net/http: memory exhaustion in Request.ParseMultipartForm [CVE-2023-45290]

[neild]

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

ParseMultipartForm now correctly limits the maximum size of form lines.

Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-45290.

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #65388 (for 1.20), #65389 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[mknyszek]

@gopherbot Please open a backport issue for Go 1.22 as well.

[dmitshur]

@mknyszek gopherbot is sorry but it can't do that yet: #25574.

[mknyszek]

I'll leave a note for the next release rotation person to do this after the release goes out, so it doesn't get lost.

[gopherbot]

Change https://go.dev/cl/569237 mentions this issue: [release-branch.go1.22] net/textproto, mime/multipart: avoid unbounded read in MIME header