New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: server permits handlers to write headers with newlines #47711
Labels
Milestone
Comments
Thanks. A better repro, as the query param part is fine and a bit of a distraction: https://play.golang.org/p/v7ghPz4CfxT func main() {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Foo", "Bar")
w.Header().Set("Xxx: xxxx\nSmuggle", "smuggleval")
}))
res, err := http.Get(ts.URL)
if err != nil {
log.Fatal(err)
}
res.Write(os.Stdout)
fmt.Printf("%v", res.Header)
} Produces:
|
bradfitz
changed the title
CRLF in Go's
net/http: Server permits handlers to write headers with newlines
Aug 16, 2021
Header().Set()
function
mknyszek
changed the title
net/http: Server permits handlers to write headers with newlines
net/http: server permits handlers to write headers with newlines
Aug 16, 2021
mknyszek
added
the
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
label
Aug 16, 2021
Change https://golang.org/cl/342530 mentions this issue: |
neild
removed
the
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
label
Aug 16, 2021
Thanks for this fix ;-) |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Consider the following code:
When requesting
http://localhost:3000/?name=%0a%0a%3Chtml%3E%3Cscript%3Ealert(%27not%20supposed%20to%20happen%27)%3C/script%3Easd&value=a%0aasd
, the name parameter's value (name=%0a%0a<html><script>alert('not supposed to happen')</script>
) is set as the header's name. But due to no sanitization, %0a can be used to inject new headers or arbitrary HTML content.What did you expect to see?
%0a in the header's value is sanitized and causes no CRLF. The same could be expected in the case of header's name.
What did you see instead?
Proper sanitization of the header's name.
The text was updated successfully, but these errors were encountered: