You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The net/httpRequest.Write and Request.WriteProxy functions do not validate the contents of the User-Agent header. A maliciously-crafted User-Agent field can inject request headers or entire new requests into the output.
This does not affect requests sent using Transport.RoundTrip, which validates all header values in Request.Header.
This cannot affect proxied requests or requests read with http.ReadRequest, since we would reject the invalid header at read time.
Given the limited circumstances this applies to, I'm inclined to call it a simple bug rather than a vulnerability. If it is a vulnerability, it's difficult enough to exploit that it seems reasonable to call it PUBLIC track.
After internal discussion: We're considering this a bug, but not a vulnerability. This requires the user to provide invalid input (garbage in, garbage out) and does not affect either the client or server request path.
The
net/http
Request.Write
andRequest.WriteProxy
functions do not validate the contents of theUser-Agent
header. A maliciously-craftedUser-Agent
field can inject request headers or entire new requests into the output.This does not affect requests sent using
Transport.RoundTrip
, which validates all header values inRequest.Header
.This cannot affect proxied requests or requests read with
http.ReadRequest
, since we would reject the invalid header at read time.Given the limited circumstances this applies to, I'm inclined to call it a simple bug rather than a vulnerability. If it is a vulnerability, it's difficult enough to exploit that it seems reasonable to call it PUBLIC track.
Thanks to RyotaK (https://ryotak.net/) for reporting this issue.
The text was updated successfully, but these errors were encountered: