projects / golang-1.7.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cd7e77d) | patch
CVE-2019-16276
authorGo Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)
committerSylvain Beucler <beuc@debian.org>
Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)
commita29cb173cffe6341e8bfb79f47c41db2364cab48
tree614292ef57e7eaae6630d8316a63364878328a87tree | snapshot
parentcd7e77dc3aa118933cee75009b561d5ec08850abcommit | diff
CVE-2019-16276

Origin: https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-12

From 6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 12 Sep 2019 12:37:36 -0400
Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't
 normalize headers with spaces before the colon

RFC 7230 is clear about headers with a space before the colon, like

X-Answer : 42

being invalid, but we've been accepting and normalizing them for compatibility
purposes since CL 5690059 in 2012.

On the client side, this is harmless and indeed most browsers behave the same
to this day. On the server side, this becomes a security issue when the
behavior doesn't match that of a reverse proxy sitting in front of the server.

For example, if a WAF accepts them without normalizing them, it might be
possible to bypass its filters, because the Go server would interpret the
header differently. Worse, if the reverse proxy coalesces requests onto a
single HTTP/1.1 connection to a Go server, the understanding of the request
boundaries can get out of sync between them, allowing an attacker to tack an
arbitrary method and path onto a request by other clients, including
authentication headers unknown to the attacker.

This was recently presented at multiple security conferences:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn

net/http servers already reject header keys with invalid characters.
Simply stop normalizing extra spaces in net/textproto, let it return them
unchanged like it does for other invalid headers, and let net/http enforce
RFC 7230, which is HTTP specific. This loses us normalization on the client
side, but there's no right answer on the client side anyway, and hiding the
issue sounds worse than letting the application decide.

Fixes CVE-2019-16276

Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719
Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Gbp-Pq: Name CVE-2019-16276.patch
src/net/http/serve_test.go diff | blob | history
src/net/http/transport_test.go diff | blob | history
src/net/textproto/reader.go diff | blob | history
src/net/textproto/reader_test.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.