net/http: outbound trailer names lack validation #64766
Assignees
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
thanm
added
the
NeedsInvestigation
|
I've mailed out CL https://go-review.googlesource.com/c/go/+/572615 |
|
Change https://go.dev/cl/572615 mentions this issue: |
|
Change https://go.dev/cl/572655 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Mar 19, 2024
This change is a counterpart to the HTTP/1.1 trailers validation CL 572615. This change will ensure that we validate trailers that were set on the HTTP client before they are transformed to HTTP/2 equivalents. Updates golang/go#64766 Change-Id: Id1afd7f7e9af820ea969ef226bbb16e4de6d57a5 Reviewed-on: https://go-review.googlesource.com/c/net/+/572655 Auto-Submit: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com>
|
Change https://go.dev/cl/572676 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Mar 21, 2024
Updates x/net/http2 to git rev 89f602b7bbf237abe0467031a18b42fc742ced08
http2: validate client/outgoing trailers
https://golang.org/cl/572655 (updates #64766)
and also updates the vendored version of golang.org/x/net per:
$ go get golang.org/x/net@89f602b7bb
$ go mod tidy
$ go mod vendor
$ go generate -run bundle std
Change-Id: Ibd0e819d9125e72665bafec53ba626e257b594a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/572676
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We will produce an error if the user attempts to send a request with an invalid header name such as
X-Header: x\r\nX-Another-Header. However, we don't validate the names of trailers. In the HTTP/1 path, this permits the user to perform header injection or similar shenanigans on an outbound request.This doesn't seem to be an exploitable vulnerability under any likely scenario, since the user would need to be acquiring header names from an attacker-controlled source, but it's still something we should catch.
The text was updated successfully, but these errors were encountered: