Closed
Description
net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.
This issue is CVE-2019-16276 and is fixed in Go 1.13.1 and Go 1.12.10.
Metadata
Metadata
Assignees
Type
Projects
Relationships
Development
No branches or pull requests
Activity
FiloSottile commentedon Sep 25, 2019
@gopherbot Please open backport issues for this. This was a security problem.
gopherbot commentedon Sep 25, 2019
Backport issue(s) opened: #34541 (for 1.12), #34542 (for 1.13).
Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.
dev-lang/go: update dev-lang/go to 1.12.10 and add go 1.13.1
upgrade Go to 1.13.1
Use golang to 1.12.10
thaJeztah commentedon Sep 26, 2019
Looks like this fix is not in master, only in the release branches, correct?
32 remaining items