Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: improper sanitization of Transfer-Encoding header [1.18 backport] #53433

Closed
gopherbot opened this issue Jun 17, 2022 · 8 comments
Closed

net/http: improper sanitization of Transfer-Encoding header [1.18 backport] #53433

gopherbot opened this issue Jun 17, 2022 · 8 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.18.4

Comments

@gopherbot
Copy link

@neild requested issue #53188 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jun 17, 2022
@gopherbot gopherbot mentioned this issue Jun 17, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.4 milestone Jun 17, 2022
@joedian joedian added the CherryPickApproved Used during the release process for point releases label Jun 22, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jun 22, 2022
@abisai1

This comment was marked as spam.

Sign in to view
@abisai1

This comment was marked as spam.

Sign in to view
@abisai1

This comment was marked as off-topic.

Sign in to view
@abisai1

This comment was marked as spam.

Sign in to view
@abisai1

This comment was marked as spam.

Sign in to view
@gopherbot
Copy link
Author

Change https://go.dev/cl/415218 mentions this issue: [release-branch.go1.18] net/http: don't strip whitespace from Transfer-Encoding headers

@heschi
Copy link
Contributor

heschi commented Jul 8, 2022

(temporarily removing release-blocker while I do some testing)

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@neild @mknyszek
[release-branch.go1.18] net/http: don't strip whitespace from Transfe…
222ee24 
…r-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For #53188
For CVE-2022-1705
Fixes #53433

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415218
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@gopherbot
Copy link
Author

Closed by merging 222ee24 to release-branch.go1.18.

bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
@neild @bradfitz
[release-branch.go1.18] net/http: don't strip whitespace from Transfe…
61d05bd 
…r-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For golang#53188
For CVE-2022-1705
Fixes golang#53433

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415218
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.18.4
Development

No branches or pull requests
5 participants
@tatianab @gopherbot @joedian @heschi @abisai1