net/http: Request.Write and Request.WriteProxy insufficiently validate User-Agent header #61824
Assignees
Comments
|
Change https://go.dev/cl/516836 mentions this issue: |
|
After internal discussion: We're considering this a bug, but not a vulnerability. This requires the user to provide invalid input (garbage in, garbage out) and does not affect either the client or server request path. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
net/httpRequest.WriteandRequest.WriteProxyfunctions do not validate the contents of theUser-Agentheader. A maliciously-craftedUser-Agentfield can inject request headers or entire new requests into the output.This does not affect requests sent using
Transport.RoundTrip, which validates all header values inRequest.Header.This cannot affect proxied requests or requests read with
http.ReadRequest, since we would reject the invalid header at read time.Given the limited circumstances this applies to, I'm inclined to call it a simple bug rather than a vulnerability. If it is a vulnerability, it's difficult enough to exploit that it seems reasonable to call it PUBLIC track.
Thanks to RyotaK (https://ryotak.net/) for reporting this issue.
The text was updated successfully, but these errors were encountered: