Skip to content

net/http: outbound trailer names lack validation #64766

New issue
New issue
Closed
Closed
net/http: outbound trailer names lack validation#64766
Assignees
odeke-em
Labels
FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.23
@neild

Description

@neild
neild
opened on Dec 15, 2023
Contributor

We will produce an error if the user attempts to send a request with an invalid header name such as X-Header: x\r\nX-Another-Header. However, we don't validate the names of trailers. In the HTTP/1 path, this permits the user to perform header injection or similar shenanigans on an outbound request.

This doesn't seem to be an exploitable vulnerability under any likely scenario, since the user would need to be acquiring header names from an attacker-controlled source, but it's still something we should catch.

Activity

thanm
added
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
on Dec 18, 2023
odeke-em

odeke-em commented on Mar 19, 2024

@odeke-em
odeke-em
on Mar 19, 2024
Member

I've mailed out CL https://go-review.googlesource.com/c/go/+/572615

gopherbot

gopherbot commented on Mar 19, 2024

@gopherbot
gopherbot
on Mar 19, 2024
Contributor

Change https://go.dev/cl/572615 mentions this issue: net/http: validate outgoing/client request trailers

gopherbot

gopherbot commented on Mar 19, 2024

@gopherbot
gopherbot
on Mar 19, 2024
Contributor

Change https://go.dev/cl/572655 mentions this issue: http2: validate client/outgoing trailers

odeke-em
self-assigned this
on Mar 19, 2024
gopherbot
added a commit that references this issue on Mar 19, 2024

http2: validate client/outgoing trailers

89f602b
gopherbot

gopherbot commented on Mar 20, 2024

@gopherbot
gopherbot
on Mar 20, 2024
Contributor

Change https://go.dev/cl/572676 mentions this issue: src/go.mod, net/http: update bundled+latest golang.org/x/net

gopherbot
closed this as completedin 81a32efon Mar 20, 2024
pull
added a commit that references this issue on Mar 20, 2024

net/http: validate outgoing/client request trailers

81a32ef
odeke-em
added this to the Go1.23 milestone on Mar 20, 2024
gopherbot
added a commit that references this issue on Mar 21, 2024

src/go.mod, net/http: update bundled+latest golang.org/x/net

0a0758a
golang
locked and limited conversation to collaborators on Mar 20, 2025
gopherbot
added
FrozenDueToAge
on Mar 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @neild@odeke-em@gopherbot@thanm

      Issue actions
        net/http: outbound trailer names lack validation · Issue #64766 · golang/go