IMHO this should be discussed on the golang-dev mailing list
On Saturday, July 18, 2015 at 12:18:05 AM UTC+2, regis...@gmail.com wrote:


I've reported privately recently some HTTP smuggling issues which leads to
some fixs in Net/http:


As explained in the commits it was relatively easy to perform strange http
requests with several Content-length headers,
or with 'Content lenght' interpreted as 'Content-length' or with bad
interpretation of chunked+length requests.

The fixs are almost good, just a little too hard on the
content-length+chunked transfer handling so this commit was made after:


My concerns are that projects using the Go net/http library to build an
HTTP server can all be used as weapons in http smuggling attacks.
I wont give the details here but this can be used, under certain
circonstances, to perform cache poisoning, bypass security checks or perform
DOS attacks against other parts of the http stack (not the go-based server

So I'm happy that the issue are fixed but I would prefer something like a
CVE, so that people building professional tools based on go
could take actions to fix the problems (like upgrading go).

Is someone willing to do that for the golang project?

Existing similar CVE :

- http://www.cvedetails.com/cve/CVE-2005-2088/
- http://www.cvedetails.com/cve/2005-2090
- http://www.cvedetails.com/cve/CVE-2014-0227/
- https://access.redhat.com/security/cve/CVE-2015-3183
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 3 | next ›
Discussion Overview
groupgolang-nuts @
postedJul 17, '15 at 10:17p
activeJul 18, '15 at 9:39a

2 users in discussion

Regis Leroy: 2 posts Michael Schaller: 1 post



site design / logo © 2022 Grokbase