FAQ
IMHO this should be discussed on the golang-dev mailing list
(https://groups.google.com/forum/#!forum/golang-dev).
On Saturday, July 18, 2015 at 12:18:05 AM UTC+2, regis...@gmail.com wrote:

Hello,

I've reported privately recently some HTTP smuggling issues which leads to
some fixs in Net/http:

-
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
-
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f

As explained in the commits it was relatively easy to perform strange http
requests with several Content-length headers,
or with 'Content lenght' interpreted as 'Content-length' or with bad
interpretation of chunked+length requests.

The fixs are almost good, just a little too hard on the
content-length+chunked transfer handling so this commit was made after:

https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e

My concerns are that projects using the Go net/http library to build an
HTTP server can all be used as weapons in http smuggling attacks.
I wont give the details here but this can be used, under certain
circonstances, to perform cache poisoning, bypass security checks or perform
DOS attacks against other parts of the http stack (not the go-based server
directly).

So I'm happy that the issue are fixed but I would prefer something like a
CVE, so that people building professional tools based on go
could take actions to fix the problems (like upgrading go).

Is someone willing to do that for the golang project?
https://cve.mitre.org/cve/request_id.html

Existing similar CVE :

- http://www.cvedetails.com/cve/CVE-2005-2088/
- http://www.cvedetails.com/cve/2005-2090
- http://www.cvedetails.com/cve/CVE-2014-0227/
- https://access.redhat.com/security/cve/CVE-2015-3183
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 3 | next ›
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJul 17, '15 at 10:17p
activeJul 18, '15 at 9:39a
posts3
users2
websitegolang.org

2 users in discussion

Regis Leroy: 2 posts Michael Schaller: 1 post

People

Translate

site design / logo © 2022 Grokbase