Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: insufficient sanitization of Host header [1.20 backport] #61076

Closed
gopherbot opened this issue Jun 29, 2023 · 4 comments
Closed

net/http: insufficient sanitization of Host header [1.20 backport] #61076

gopherbot opened this issue Jun 29, 2023 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #60374 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues. This is a (fairly minor) security issue.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jun 29, 2023
@gopherbot gopherbot added this to the Go1.20.6 milestone Jun 29, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/507357 mentions this issue: net/http: validate Host header before sending

@tatianab tatianab added release-blocker CherryPickApproved Used during the release process for point releases and removed release-blocker labels Jun 30, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jun 30, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/507905 mentions this issue: http2: validate Host header before sending

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/507906 mentions this issue: http2: validate Host header before sending

@gopherbot
Copy link
Contributor Author

Closed by merging 312920c to release-branch.go1.20.

gopherbot pushed a commit that referenced this issue Jul 6, 2023
Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.

Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.

For #60374
Fixes #61076
For CVE-2023-29406

Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
(cherry picked from commit 499458f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/507357
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
AlexanderYastrebov added a commit to zalando/skipper that referenced this issue Jul 13, 2023
Redis testcontainer fails to start due to due to testcontainers/testcontainers-go#1359
caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov added a commit to zalando/skipper that referenced this issue Jul 13, 2023
Redis testcontainer fails to start due to due to testcontainers/testcontainers-go#1359
caused by golang/go#61076 and we can not pin cdp-runtime/go to a working patch version before 1.20.6

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov added a commit to zalando/skipper that referenced this issue Jul 13, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359
caused by golang/go#61076 and
we can not pin cdp-runtime/go to a working patch version before 1.20.6

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov added a commit to zalando/skipper that referenced this issue Jul 14, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359
caused by golang/go#61076 and
we can not pin cdp-runtime/go to a working patch version before 1.20.6

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov added a commit to zalando/skipper that referenced this issue Jul 15, 2023
Redis testcontainer fails to start due to testcontainers/testcontainers-go#1359
caused by golang/go#61076 and
we can not pin cdp-runtime/go to a working patch version before 1.20.6

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
caixw added a commit to issue9/assert that referenced this issue Jul 21, 2023
golang/go#61076 添加了对 HOST 的验证,
原有的实现不再可行。
TomaszAIR added a commit to 3mdeb/meta-balena-engine that referenced this issue Nov 2, 2023
Go used in kirkstone uses fix for CVE-2023-29406 which breaks
docker/balena engine.

see:
 - moby/moby#46614
 - moby/moby#45935
 - golang/go#61076

Signed-off-by: Tomasz Żyjewski <tomasz.zyjewski@3mdeb.com>
@golang golang locked and limited conversation to collaborators Jul 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Development

No branches or pull requests

2 participants