x/net/xsrftoken: improper string manipulation could lead to bypass #34308
Labels
FrozenDueToAge
help wanted
NeedsFix
The path to resolution is known, but the work has not been done.
Security
Milestone
What version of Go are you using (
go version
)?go version go1.13 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?Not relevant
What did you do?
What did you expect to see?
"false"
What did you see instead?
"true"
More info
This is due to a pre-processing of the input that replaces
:
with_
(colons are internally used as separators) thus creating a clash between different users (in this example the user_foo_
can obtain valid tokens for user:foo:
and viceversa).I would advise to properly escape colons instead of replacing them with underscores. The risk is that, otherwise, a service that allows users to pick their own IDs would be exposed to CSRF protection bypass.
One example of fix would be to change the
clean
function to this:cc/ @bradfitz @FiloSottile @dgryski
The text was updated successfully, but these errors were encountered: