Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/xsrftoken: improper string manipulation could lead to bypass #34308

Closed
empijei opened this issue Sep 15, 2019 · 1 comment
Closed

x/net/xsrftoken: improper string manipulation could lead to bypass #34308

empijei opened this issue Sep 15, 2019 · 1 comment
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@empijei
Copy link
Contributor

empijei commented Sep 15, 2019
edited

What version of Go are you using (go version)?

go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Not relevant

What did you do?

	const (
		user1 = ":foo:"
		user2 = "_foo_"
	)
	tok := xsrftoken.Generate("key", user1, "action")
	fmt.Println(xsrftoken.Valid(tok, "key", user2, "action"))

What did you expect to see?

"false"

What did you see instead?

"true"

More info

This is due to a pre-processing of the input that replaces : with _ (colons are internally used as separators) thus creating a clash between different users (in this example the user _foo_ can obtain valid tokens for user :foo: and viceversa).

I would advise to properly escape colons instead of replacing them with underscores. The risk is that, otherwise, a service that allows users to pick their own IDs would be exposed to CSRF protection bypass.

One example of fix would be to change the clean function to this:

func clean(s string) string {
	s = strings.Replace(s, `\`, `\\`, -1)
	return strings.Replace(s, `:`, `\:`, -1)
}

Note: I already discussed this with @andybons and we agreed it is low risk enough to open a public bug for.

cc/ @bradfitz @FiloSottile @dgryski
@gopherbot gopherbot added this to the Unreleased milestone Sep 15, 2019
@empijei empijei changed the title x/net/xsrftoken: Improper string manipulation could lead to bypass. x/net/xsrftoken: Security: improper string manipulation could lead to bypass. Sep 15, 2019
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 17, 2019
@andybons andybons added help wanted NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Sep 18, 2019
@titanous titanous changed the title x/net/xsrftoken: Security: improper string manipulation could lead to bypass. x/net/xsrftoken: improper string manipulation could lead to bypass Sep 18, 2019
@gopherbot
Copy link

Change https://golang.org/cl/196457 mentions this issue: x/net/xsrftoken: escape colons

@golang golang locked and limited conversation to collaborators Sep 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@toothrot @titanous @andybons @empijei @gopherbot