(https://groups.google.com/forum/#!forum/golang-dev).
On Saturday, July 18, 2015 at 12:18:05 AM UTC+2, regis...@gmail.com wrote:
Hello,
I've reported privately recently some HTTP smuggling issues which leads to
some fixs in Net/http:
-
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
-
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
As explained in the commits it was relatively easy to perform strange http
requests with several Content-length headers,
or with 'Content lenght' interpreted as 'Content-length' or with bad
interpretation of chunked+length requests.
The fixs are almost good, just a little too hard on the
content-length+chunked transfer handling so this commit was made after:
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e
My concerns are that projects using the Go net/http library to build an
HTTP server can all be used as weapons in http smuggling attacks.
I wont give the details here but this can be used, under certain
circonstances, to perform cache poisoning, bypass security checks or perform
DOS attacks against other parts of the http stack (not the go-based server
directly).
So I'm happy that the issue are fixed but I would prefer something like a
CVE, so that people building professional tools based on go
could take actions to fix the problems (like upgrading go).
Is someone willing to do that for the golang project?
https://cve.mitre.org/cve/request_id.html
Existing similar CVE :
- http://www.cvedetails.com/cve/CVE-2005-2088/
- http://www.cvedetails.com/cve/2005-2090
- http://www.cvedetails.com/cve/CVE-2014-0227/
- https://access.redhat.com/security/cve/CVE-2015-3183
--Hello,
I've reported privately recently some HTTP smuggling issues which leads to
some fixs in Net/http:
-
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
-
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
As explained in the commits it was relatively easy to perform strange http
requests with several Content-length headers,
or with 'Content lenght' interpreted as 'Content-length' or with bad
interpretation of chunked+length requests.
The fixs are almost good, just a little too hard on the
content-length+chunked transfer handling so this commit was made after:
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e
My concerns are that projects using the Go net/http library to build an
HTTP server can all be used as weapons in http smuggling attacks.
I wont give the details here but this can be used, under certain
circonstances, to perform cache poisoning, bypass security checks or perform
DOS attacks against other parts of the http stack (not the go-based server
directly).
So I'm happy that the issue are fixed but I would prefer something like a
CVE, so that people building professional tools based on go
could take actions to fix the problems (like upgrading go).
Is someone willing to do that for the golang project?
https://cve.mitre.org/cve/request_id.html
Existing similar CVE :
- http://www.cvedetails.com/cve/CVE-2005-2088/
- http://www.cvedetails.com/cve/2005-2090
- http://www.cvedetails.com/cve/CVE-2014-0227/
- https://access.redhat.com/security/cve/CVE-2015-3183
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
