1
0
mirror of https://github.com/golang/go synced 2024-11-22 14:24:45 -07:00

doc/go1.17: add security-related release notes

Change-Id: I573def0f48fe66a1bc60fff321ab007c76b47ef0
Reviewed-on: https://go-review.googlesource.com/c/go/+/327810
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Filippo Valsorda 2021-06-15 07:13:08 -04:00
parent 1de332996c
commit 85a2e24afd

View File

@ -441,6 +441,67 @@ func Foo() bool {
<a href="/pkg/runtime/cgo#Handle">runtime/cgo.Handle</a> for more information.
</p>
<h3 id="semicolons">URL query parsing</h3>
<!-- CL 325697, CL 326309 -->
<p>
The <code>net/url</code> and <code>net/http</code> packages used to accept
<code>";"</code> (semicolon) as a setting separator in URL queries, in
addition to <code>"&"</code> (ampersand). Now, settings with non-percent-encoded
semicolons are rejected and <code>net/http</code> servers will log a warning to
<a href="/pkg/net/http#Server.ErrorLog"><code>Server.ErrorLog</code></a>
when encountering one in a request URL.
</p>
<p>
For example, before Go 1.17 the <a href="/pkg/net/url#URL.Query"><code>Query</code></a>
method of the URL <code>example?a=1;b=2&c=3</code> would have returned
<code>map[a:[1] b:[2] c:[3]]</code>, while now it returns <code>map[c:[3]]</code>.
</p>
<p>
When encountering such a query string,
<a href="/pkg/net/url#URL.Query"><code>URL.Query</code></a>
and
<a href="/pkg/net/http#Request.FormValue"><code>Request.FormValue</code></a>
ignore any settings that contain a semicolon,
<a href="/pkg/net/url#ParseQuery"><code>ParseQuery</code></a>
returns the remaining settings and an error, and
<a href="/pkg/net/http#Request.ParseForm"><code>Request.ParseForm</code></a>
and
<a href="/pkg/net/http#Request.ParseMultipartForm"><code>Request.ParseMultipartForm</code></a>
return an error but still set <code>Request</code> fields based on the
remaining settings.
</p>
<p>
<code>net/http</code> users can restore the original behavior by using the new
<a href="/pkg/net/http#AllowQuerySemicolons"><code>AllowQuerySemicolons</code></a>
handler wrapper. This will also suppress the <code>ErrorLog</code> warning.
Note that accepting semicolons as query separators can lead to security issues
if different systems interpret cache keys differently.
See <a href="https://golang.org/issue/25192">issue 25192</a> for more information.
</p>
<h3 id="ALPN">TLS strict ALPN</h3>
<!-- CL 289209, CL 325432 -->
<p>
When <a href="/pkg/crypto/tls#Config.NextProtos"><code>Config.NextProtos</code></a>
is set, servers now enforce that there is an overlap between the configured
protocols and the ALPN protocols advertised by the client, if any. If there is
no mutually supported protocol, the connection is closed with the
<code>no_application_protocol</code> alert, as required by RFC 7301. This
helps mitigate <a href="https://alpaca-attack.com/">the ALPACA cross-protocol attack</a>.
</p>
<p>
As an exception, when the value <code>"h2"</code> is included in the server's
<code>Config.NextProtos</code>, HTTP/1.1 clients will be allowed to connect as
if they didn't support ALPN.
See <a href="https://golang.org/issue/46310">issue 46310</a> for more information.
</p>
<h3 id="minor_library_changes">Minor changes to the library</h3>
<p>
@ -549,14 +610,6 @@ func Foo() bool {
methods. Canceling the context after the handshake has finished has no effect.
</p>
<p><!-- CL 289209 -->
When <a href="/pkg/crypto/tls#Config.NextProtos"><code>Config.NextProtos</code></a>
is set, servers now enforce that there is an overlap between the
configured protocols and the protocols advertised by the client, if any.
If there is no overlap the connection is closed with the
<code>no_application_protocol</code> alert, as required by RFC 7301.
</p>
<p><!-- CL 314609 -->
Cipher suite ordering is now handled entirely by the
<code>crypto/tls</code> package. Currently, cipher suites are sorted based
@ -658,6 +711,22 @@ func Foo() bool {
</dd>
</dl><!-- encoding/csv -->
<dl id="encoding/xml"><dt><a href="/pkg/encoding/xml/">encoding/xml</a></dt>
<dd>
<p><!-- CL 277893 -->
When a comment appears within a
<a href="/pkg/encoding/xml/#Directive"><code>Directive</code></a>, it is now replaced
with a single space instead of being completely elided.
</p>
<p>
Invalid element or attribute names with leading, trailing, or multiple
colons are now stored unmodified into the
<a href="/pkg/encoding/xml/#Name"><code>Name.Local</code></a> field.
</p>
</dd>
</dl><!-- encoding/xml -->
<dl id="flag"><dt><a href="/pkg/flag/">flag</a></dt>
<dd>
<p><!-- CL 271788 -->
@ -744,6 +813,20 @@ func Foo() bool {
</dd>
</dl><!-- mime -->
<dl id="mime/multipart"><dt><a href="/pkg/mime/multipart/">mime/multipart</a></dt>
<dd>
<p><!-- CL 313809 -->
<a href="/pkg/mime/multipart/#Part.FileName"><code>Part.FileName</code></a>
now applies
<a href="/pkg/path/filepath/#Base"><code>filepath.Base</code></a> to the
return value. This mitigates potential path traversal vulnerabilities in
applications that accept multipart messages, such as <code>net/http</code>
servers that call
<a href="/pkg/net/http/#Request.FormFile"><code>Request.FormFile</code></a>.
</p>
</dd>
</dl><!-- mime/multipart -->
<dl id="net"><dt><a href="/pkg/net/">net</a></dt>
<dd>
<p><!-- CL 272668 -->
@ -763,7 +846,7 @@ func Foo() bool {
the <a href="/pkg/net/#Error"><code>net.Error</code></a> interface.
</p>
<p><!-- CL325829 -->
<p><!-- CL 325829 -->
The <a href="/pkg/net/#ParseIP"><code>ParseIP</code></a> and <a href="/pkg/net/#ParseCIDR"><code>ParseCIDR</code></a>
functions now reject IPv4 addresses which contain decimal components with leading zeros.
@ -794,6 +877,29 @@ func Foo() bool {
The <a href="/pkg/net/http/#ReadRequest"><code>ReadRequest</code></a> function
now returns an error when the request has multiple Host headers.
</p>
<p><!-- CL 313950 -->
When producing a redirect to the cleaned version of a URL,
<a href="/pkg/net/http/#ServeMux"><code>ServeMux</code></a> now always
uses relative URLs in the <code>Location</code> header. Previously it
would echo the full URL of the request, which could lead to unintended
redirects if the client could be made to send an absolute request URL.
</p>
<p><!-- CL 308009, CL 313489 -->
When interpreting certain HTTP headers handled by <code>net/http</code>,
non-ASCII characters are now ignored or rejected.
</p>
<p><!-- CL 325697 -->
If
<a href="/pkg/net/http/#Request.ParseForm"><code>Request.ParseForm</code></a>
returns an error when called by
<a href="/pkg/net/http/#Request.ParseMultipartForm"><code>Request.ParseMultipartForm</code></a>,
the latter now continues populating
<a href="/pkg/net/http/#Request.MultipartForm"><code>Request.MultipartForm</code></a>
before returning it.
</p>
</dd>
</dl><!-- net/http -->