1
0
mirror of https://github.com/golang/go synced 2024-11-23 06:40:05 -07:00

net/http: don't strip whitespace from Transfer-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

Fixes #53188
Fixes CVE-2022-1705

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Damien Neil 2022-06-01 11:17:07 -07:00
parent 20760cff00
commit e5017a93fc
2 changed files with 2 additions and 1 deletions

View File

@ -6245,6 +6245,7 @@ func TestUnsupportedTransferEncodingsReturn501(t *testing.T) {
"fugazi", "fugazi",
"foo-bar", "foo-bar",
"unknown", "unknown",
"\rchunked",
} }
for _, badTE := range unsupportedTEs { for _, badTE := range unsupportedTEs {

View File

@ -642,7 +642,7 @@ func (t *transferReader) parseTransferEncoding() error {
if len(raw) != 1 { if len(raw) != 1 {
return &unsupportedTEError{fmt.Sprintf("too many transfer encodings: %q", raw)} return &unsupportedTEError{fmt.Sprintf("too many transfer encodings: %q", raw)}
} }
if !ascii.EqualFold(textproto.TrimString(raw[0]), "chunked") { if !ascii.EqualFold(raw[0], "chunked") {
return &unsupportedTEError{fmt.Sprintf("unsupported transfer encoding: %q", raw[0])} return &unsupportedTEError{fmt.Sprintf("unsupported transfer encoding: %q", raw[0])}
} }