Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/http2: validate received header values #14029

Closed
bradfitz opened this issue Jan 20, 2016 · 2 comments
Closed

x/net/http2: validate received header values #14029

bradfitz opened this issue Jan 20, 2016 · 2 comments
Labels
FrozenDueToAge
Milestone
Go1.6

Comments

@bradfitz
Copy link
Contributor

The Go http2 implementation (client & server) validates header values (the validHeader func) but I missed the very next sentence in the http2 spec before:

https://httpwg.github.io/specs/rfc7540.html#rfc.section.10.3

Similarly, HTTP/2 allows header field values that are not valid. While most of the values that can be encoded will not alter header field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0) might be exploited by an attacker if they are translated verbatim. Any request or response that contains a character not permitted in a header field value MUST be treated as malformed (Section 8.1.2.6). Valid characters are defined by the field-content ABNF rule in Section 3.2 of [RFC7230].

I only thought to go look because I saw a mention of it in the gRPC wire protocol docs:

Note that HTTP2 does not allow arbitrary octet sequences for header values so binary header values must be encoded using Base64

Needs to be fixed in both the client & server, next to existing checks like:

        if !validHeader(f.Name) {
                rl.reqMalformed = errInvalidHeaderKey
                return false
        }
@bradfitz bradfitz self-assigned this Jan 20, 2016
@bradfitz bradfitz added this to the Go1.6 milestone Jan 20, 2016
@gopherbot
Copy link

CL https://golang.org/cl/18727 mentions this issue.

gopherbot pushed a commit to golang/net that referenced this issue Jan 20, 2016
@bradfitz
http2: validate received header field values in Server and Transport
b2ed34f 
This validates incoming header field values in Server and Transport to
make sure the peer isn't sending us a \x00, CR, NL or other non-VCHAR
except space and tab.

It does not yet validate that we don't send such things, though.

Updates golang/go#14029

Change-Id: I7c6a56d5d0d255f1b8fa64480b34b3b5e1f4f367
Reviewed-on: https://go-review.googlesource.com/18727
Reviewed-by: Andrew Gerrand <adg@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@gopherbot
Copy link

CL https://golang.org/cl/18728 mentions this issue.

gopherbot pushed a commit that referenced this issue Jan 21, 2016
@bradfitz
net/http: update http2 to check header values, move from vendor to in…
e8e1928 
…ternal

Updates x/net/http2 to git rev b2ed34f for https://golang.org/cl/18727

Updates #14029 (fixes it enough for Go 1.6)
Fixes #13961

Change-Id: Id301247545507671f4e79df0e7c6ec9c421d5a7c
Reviewed-on: https://go-review.googlesource.com/18728
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
@bradfitz bradfitz modified the milestones: Go1.7, Go1.6 Jan 21, 2016
@bradfitz bradfitz changed the title x/net/http2: validate header values x/net/http2: validate sent header field names & values Jan 21, 2016
@bradfitz bradfitz changed the title x/net/http2: validate sent header field names & values x/net/http2: validate received header values Jan 21, 2016
@bradfitz bradfitz modified the milestones: Go1.6, Go1.7 Jan 21, 2016
@bradfitz bradfitz mentioned this issue Jan 21, 2016
Closed
@golang golang locked and limited conversation to collaborators Jan 23, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.6
Development

No branches or pull requests
2 participants
@bradfitz @gopherbot