Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http/cgi: reject invalid header names [freeze exception] #38889

Closed
FiloSottile opened this issue May 5, 2020 · 3 comments
Closed

net/http/cgi: reject invalid header names [freeze exception] #38889

FiloSottile opened this issue May 5, 2020 · 3 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone
Go1.15

Comments

@FiloSottile
Copy link
Contributor

While working on CL 231419, I noticed we trim spaces around the names of the headers generated by CGI programs. This is not as serious as #34540 because the CGI program output is presumably trusted, but CGI is such a generic interface that I'd feel better if we didn't do anything potentially risky like that.

I'd like to request a freeze exception to land CL 232277 this week.

/cc @andybons @rsc
@FiloSottile FiloSottile added NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. release-blocker labels May 5, 2020
@FiloSottile FiloSottile added this to the Go1.15 milestone May 5, 2020
@gopherbot
Copy link

Change https://golang.org/cl/232277 mentions this issue: net/http/cgi: reject invalid header names

@andybons
Copy link
Member

andybons commented May 6, 2020

I think this is OK as it’s small and security related. Will wait for @rsc to confirm.

@rsc
Copy link
Contributor

rsc commented May 6, 2020

SGTM, thanks.

@andybons andybons added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. labels May 6, 2020
xujianhai666 pushed a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
@FiloSottile @xujianhai666
net/http/cgi: reject invalid header names
fe396aa 
Being lenient on those has caused enough security issues.

Spun out of CL 231419.

Fixes golang#38889

Change-Id: Idd3bc6adc22e08a30b3dabb146ce78d4105684cd
Reviewed-on: https://go-review.googlesource.com/c/go/+/232277
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@FiloSottile FiloSottile changed the title freeze exception: net/http/cgi: reject invalid header names net/http/cgi: reject invalid header names [freeze exception] Jun 2, 2020
@golang golang locked and limited conversation to collaborators Jun 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
None yet
Milestone
Go1.15
Development

No branches or pull requests
4 participants
@rsc @andybons @FiloSottile @gopherbot