FAQ
Hello,

I've reported privately recently some HTTP smuggling issues which leads to
some fixs in Net/http:

  -
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
  -
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f

As explained in the commits it was relatively easy to perform strange http
requests with several Content-length headers,
or with 'Content lenght' interpreted as 'Content-length' or with bad
interpretation of chunked+length requests.

The fixs are almost good, just a little too hard on the
content-length+chunked transfer handling so this commit was made after:
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e

My concerns are that projects using the Go net/http library to build an
HTTP server can all be used as weapons in http smuggling attacks.
I wont give the details here but this can be used, under certain
circonstances, to perform cache poisoning, bypass security checks or perform
DOS attacks against other parts of the http stack (not the go-based server
directly).

So I'm happy that the issue are fixed but I would prefer something like a
CVE, so that people building professional tools based on go
could take actions to fix the problems (like upgrading go).

Is someone willing to do that for the golang project?
https://cve.mitre.org/cve/request_id.html

Existing similar CVE :

  - http://www.cvedetails.com/cve/CVE-2005-2088/
  - http://www.cvedetails.com/cve/2005-2090
  - http://www.cvedetails.com/cve/CVE-2014-0227/
  - https://access.redhat.com/security/cve/CVE-2015-3183

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Michael Schaller at Jul 18, 2015 at 7:53 am
    IMHO this should be discussed on the golang-dev mailing list
    (https://groups.google.com/forum/#!forum/golang-dev).
    On Saturday, July 18, 2015 at 12:18:05 AM UTC+2, regis...@gmail.com wrote:

    Hello,

    I've reported privately recently some HTTP smuggling issues which leads to
    some fixs in Net/http:

    -
    https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
    -
    https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f

    As explained in the commits it was relatively easy to perform strange http
    requests with several Content-length headers,
    or with 'Content lenght' interpreted as 'Content-length' or with bad
    interpretation of chunked+length requests.

    The fixs are almost good, just a little too hard on the
    content-length+chunked transfer handling so this commit was made after:

    https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e

    My concerns are that projects using the Go net/http library to build an
    HTTP server can all be used as weapons in http smuggling attacks.
    I wont give the details here but this can be used, under certain
    circonstances, to perform cache poisoning, bypass security checks or perform
    DOS attacks against other parts of the http stack (not the go-based server
    directly).

    So I'm happy that the issue are fixed but I would prefer something like a
    CVE, so that people building professional tools based on go
    could take actions to fix the problems (like upgrading go).

    Is someone willing to do that for the golang project?
    https://cve.mitre.org/cve/request_id.html

    Existing similar CVE :

    - http://www.cvedetails.com/cve/CVE-2005-2088/
    - http://www.cvedetails.com/cve/2005-2090
    - http://www.cvedetails.com/cve/CVE-2014-0227/
    - https://access.redhat.com/security/cve/CVE-2015-3183
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Regis Leroy at Jul 18, 2015 at 9:39 am
    You're right.

    I'll post it there. And maybe remove the thread here.

    Le samedi 18 juillet 2015 09:53:30 UTC+2, Michael Schaller a écrit :
    IMHO this should be discussed on the golang-dev mailing list (
    https://groups.google.com/forum/#!forum/golang-dev).

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJul 17, '15 at 10:17p
activeJul 18, '15 at 9:39a
posts3
users2
websitegolang.org

2 users in discussion

Regis Leroy: 2 posts Michael Schaller: 1 post

People

Translate

site design / logo © 2022 Grokbase