New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

To prevent TOCTOU attacks, use checked IP addr directly for connections #1

Merged
merged 1 commit into from Aug 5, 2015

Conversation

Projects
None yet
1 participant
@hakobe
Copy link
Owner

hakobe commented Aug 5, 2015

Checking a connecting host in http.Transport is vulnerable for TOCTOU attacks. This p-r fixes it by checking hosts and uses resolved addrs at dialing.

I want to thank @kazuho for pointing this out (https://twitter.com/kazuho/status/628741345801154562).

hakobe added a commit that referenced this pull request Aug 5, 2015

Merge pull request #1 from hakobe/use-dialer-prevent-TOCTOU-attack
To prevent TOCTOU attacks, use checked IP addr directly for connections

@hakobe hakobe merged commit 8587865 into master Aug 5, 2015

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@shogo82148 shogo82148 referenced this pull request Jan 7, 2017

Open

TOCTOU attacks issue #10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment