Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use rfc2047decode in fixMangledMediaType for #134 #136

Merged
merged 3 commits into from
Oct 16, 2019
Merged

use rfc2047decode in fixMangledMediaType for #134 #136

merged 3 commits into from
Oct 16, 2019

Conversation

requaos
Copy link
Collaborator

@requaos requaos commented Oct 15, 2019

No description provided.

@coveralls
Copy link

coveralls commented Oct 15, 2019
edited
Loading

Coverage Status

Coverage increased (+0.4%) to 88.189% when pulling d9268eb on requaos:requaos/consolidaterfc2047decoder into d24345a on jhillyerd:develop.

@requaos
Copy link
Collaborator Author

requaos commented Oct 15, 2019
edited
Loading

@jhillyerd Nevermind, I was able to reproduce with GOROOT v1.13.1

@requaos
Copy link
Collaborator Author

requaos commented Oct 16, 2019

golang/go#34540
net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

This issue is CVE-2019-16276 and is fixed in Go 1.13.1 and Go 1.12.10.

@requaos
Copy link
Collaborator Author

requaos commented Oct 16, 2019

@jhillyerd Considering that the above CVE applies to HTTP/1.1 headers, and is specifically for scenarios like:
HeaderKey : HeaderValue/r/n
I propose adding to the input filter to correct cases specific to this.

@jhillyerd jhillyerd self-requested a review October 16, 2019 16:01
jhillyerd
jhillyerd approved these changes Oct 16, 2019
View reviewed changes
Copy link
Owner

@jhillyerd jhillyerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all looks good to me.

@requaos requaos merged commit 7d95f55 into jhillyerd:develop Oct 16, 2019
@requaos requaos deleted the requaos/consolidaterfc2047decoder branch October 16, 2019 19:15
@requaos requaos mentioned this pull request Oct 16, 2019
Closed
@dcormier
Copy link
Contributor

Might want to check if \t is handled or not. I thought when I glanced at the golang change that that case is also different now.

@requaos requaos mentioned this pull request Nov 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhillyerd jhillyerd jhillyerd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@requaos @coveralls @dcormier @jhillyerd