I've reported privately recently some HTTP smuggling issues which leads to
some fixs in Net/http:
As explained in the commits it was relatively easy to perform strange http
requests with several Content-length headers,
or with 'Content lenght' interpreted as 'Content-length' or with bad
interpretation of chunked+length requests.
The fixs are almost good, just a little too hard on the
content-length+chunked transfer handling so this commit was made after:
My concerns are that projects using the Go net/http library to build an
HTTP server can all be used as weapons in http smuggling attacks.
I wont give the details here but this can be used, under certain
circonstances, to perform cache poisoning, bypass security checks or perform
DOS attacks against other parts of the http stack (not the go-based server
So I'm happy that the issue are fixed but I would prefer something like a
CVE, so that people building professional tools based on go
could take actions to fix the problems (like upgrading go).
Is someone willing to do that for the golang project?
Existing similar CVE :
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
For more options, visit https://groups.google.com/d/optout.