net/http: imperva HTTP/2 attack vectors report #16630
Comments
dlsniper
changed the title
josharian
changed the title
|
Can I reply in text or do I need to generate a PDF? |
|
I couldn't see a text version of it, aside from this rather useless link: http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&ID=2192322 , sorry. Thank you. |
|
The PDF is wordy, so here's a summary of the article's contents. None of the specific issues mentioned are about Go, and some do not even seem possible (1 thread per stream, buffer overflow, etc). (page 7) HTTP/2 Stream Multiplexing
(page 9) HTTP/2 Flow Control
(page 12) Dependency and Priority
(page 16) HPACK Bomb
|
|
The only one I'd want to double-check is the HPACK bomb (haven't read the details yet). But golang/net@6050c11 and golang/net@21c3935 and golang/net@59e870b and golang/net@d8f3c68 and golang/net@29704b8 seem to cover it. |
|
Yeah, I think we're fine here. Please file a bug if you find a problem in Go's implementation. |
Hello,
I've just seen the issues highlighted by this report: https://www.nginx.com/blog/the-imperva-http2-vulnerability-report-and-nginx/ (download shortcut: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf) with regards to HTTP/2 implementation in web servers and I'd like to ask if this is something that the Go team is aware of and if Go itself is vulnerable to the issues described there.
Sorry if this is the wrong place to ask, I wasn't sure if I should ask here or on golang-dev.
Thank you.
The text was updated successfully, but these errors were encountered: