net/http/cgi: reject invalid header names

Being lenient on those has caused enough security issues. Spun out of CL 231419. Fixes #38889 Change-Id: Idd3bc6adc22e08a30b3dabb146ce78d4105684cd Reviewed-on: https://go-review.googlesource.com/c/go/+/232277 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-11-23 16:20:04 -07:00 · 2020-05-05 00:11:00 -04:00 · 2020-05-05 00:11:00 -04:00 · e538b7e931
commit e538b7e931
parent 7d232ab276
2 changed files with 7 additions and 2 deletions
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@ -448,7 +448,7 @@ var pkgDeps = map[string][]string{

 	// HTTP-using packages.
 	"expvar":             {"L4", "OS", "encoding/json", "net/http"},
-	"net/http/cgi":       {"L4", "NET", "OS", "crypto/tls", "net/http", "regexp"},
+	"net/http/cgi":       {"L4", "NET", "OS", "crypto/tls", "net/http", "regexp", "golang.org/x/net/http/httpguts"},
 	"net/http/cookiejar": {"L4", "NET", "net/http"},
 	"net/http/fcgi":      {"L4", "NET", "OS", "context", "net/http", "net/http/cgi"},
 	"net/http/httptest": {
--- a/src/net/http/cgi/host.go
+++ b/src/net/http/cgi/host.go
@ -29,6 +29,8 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+
+	"golang.org/x/net/http/httpguts"
 )

 var trailingPort = regexp.MustCompile(`:([0-9]+)$`)
@ -277,7 +279,10 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			continue
 		}
 		header, val := parts[0], parts[1]
-		header = textproto.TrimString(header)
+		if !httpguts.ValidHeaderFieldName(header) {
+			h.printf("cgi: invalid header name: %q", header)
+			continue
+		}
 		val = textproto.TrimString(val)
 		switch {
 		case header == "Status":