Skip to content

net/http: invalid headers are normalized, allowing request smuggling #34540

New issue
New issue
Closed
Closed
net/http: invalid headers are normalized, allowing request smuggling#34540
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
 
Go1.14
@FiloSottile

Description

@FiloSottile
FiloSottile
opened on Sep 25, 2019

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

This issue is CVE-2019-16276 and is fixed in Go 1.13.1 and Go 1.12.10.

Activity

FiloSottile
added
Security
NeedsFixThe path to resolution is known, but the work has not been done.
on Sep 25, 2019
FiloSottile
added this to the Go1.14 milestone on Sep 25, 2019
FiloSottile
self-assigned this
on Sep 25, 2019
FiloSottile

FiloSottile commented on Sep 25, 2019

@FiloSottile
FiloSottile
on Sep 25, 2019
ContributorAuthor

@gopherbot Please open backport issues for this. This was a security problem.

gopherbot
mentioned this in 2 issues on Sep 25, 2019
gopherbot

gopherbot commented on Sep 25, 2019

@gopherbot
gopherbot
on Sep 25, 2019
Contributor

Backport issue(s) opened: #34541 (for 1.12), #34542 (for 1.13).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

dongsupark
added a commit that references this issue on Sep 26, 2019

dev-lang/go: update dev-lang/go to 1.12.10 and add go 1.13.1

64a62d3
dongsupark
mentioned this on Sep 26, 2019
dongsupark
added a commit that references this issue on Sep 26, 2019

upgrade Go to 1.13.1

71b025e
dongsupark
mentioned this on Sep 26, 2019
bbrks
mentioned this on Sep 26, 2019
notnoop
added a commit that references this issue on Sep 26, 2019

Use golang to 1.12.10

053a100
thaJeztah

thaJeztah commented on Sep 26, 2019

@thaJeztah
thaJeztah
on Sep 26, 2019
Contributor

Looks like this fix is not in master, only in the release branches, correct?

32 remaining items

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @sporkmonger@FiloSottile@thausler786@thaJeztah@gopherbot

        Issue actions
          net/http: invalid headers are normalized, allowing request smuggling · Issue #34540 · golang/go