Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/textproto: don't treat spaces as hyphens in header keys #53035

Closed
tatianab opened this issue May 23, 2022 · 0 comments
Closed

net/textproto: don't treat spaces as hyphens in header keys #53035

tatianab opened this issue May 23, 2022 · 0 comments

Comments

@tatianab
Copy link

The MIME header parser treated spaces and hyphens as equivalent, which can permit HTTP request smuggling.

This was originally done in https://codereview.appspot.com/5690059 (Feb 2012) to deal with bad response headers coming back from webcams, but it presents a potential security problem with HTTP request smuggling for request headers containing "Content Length" instead of "Content-Length".

Part of overall HTTP hardening for request smuggling. See RFC 7230.

This is CVE-2015-5739 and is fixed in Go 1.4.3.

"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/

Thank you Régis Leroy for reporting.

@golang golang locked and limited conversation to collaborators May 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants