New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: imperva HTTP/2 attack vectors report #16630
Comments
Can I reply in text or do I need to generate a PDF? |
I couldn't see a text version of it, aside from this rather useless link: http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&ID=2192322 , sorry. Thank you. |
The PDF is wordy, so here's a summary of the article's contents. None of the specific issues mentioned are about Go, and some do not even seem possible (1 thread per stream, buffer overflow, etc). (page 7) HTTP/2 Stream Multiplexing
(page 9) HTTP/2 Flow Control
(page 12) Dependency and Priority
(page 16) HPACK Bomb
|
The only one I'd want to double-check is the HPACK bomb (haven't read the details yet). But golang/net@6050c11 and golang/net@21c3935 and golang/net@59e870b and golang/net@d8f3c68 and golang/net@29704b8 seem to cover it. |
Yeah, I think we're fine here. Please file a bug if you find a problem in Go's implementation. |
Hello,
I've just seen the issues highlighted by this report: https://www.nginx.com/blog/the-imperva-http2-vulnerability-report-and-nginx/ (download shortcut: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf) with regards to HTTP/2 implementation in web servers and I'd like to ask if this is something that the Go team is aware of and if Go itself is vulnerable to the issues described there.
Sorry if this is the wrong place to ask, I wasn't sure if I should ask here or on golang-dev.
Thank you.
The text was updated successfully, but these errors were encountered: