)]}'
{
  "commit": "41b1f88efab9d263408448bf139659119002ea50",
  "tree": "3cfee22c40231f7eaa8b6b2b9794d5be3fe66a6b",
  "parents": [
    "0ad368675bae1e3228c9146e092cd00cfb29ac27"
  ],
  "author": {
    "name": "Filippo Valsorda",
    "email": "filippo@golang.org",
    "time": "Thu Sep 12 12:37:36 2019 -0400"
  },
  "committer": {
    "name": "Dmitri Shuralyov",
    "email": "dmitshur@golang.org",
    "time": "Thu Sep 26 16:43:06 2019 +0000"
  },
  "message": "net/textproto: don\u0027t normalize headers with spaces before the colon\n\nRFC 7230 is clear about headers with a space before the colon, like\n\nX-Answer : 42\n\nbeing invalid, but we\u0027ve been accepting and normalizing them for compatibility\npurposes since CL 5690059 in 2012.\n\nOn the client side, this is harmless and indeed most browsers behave the same\nto this day. On the server side, this becomes a security issue when the\nbehavior doesn\u0027t match that of a reverse proxy sitting in front of the server.\n\nFor example, if a WAF accepts them without normalizing them, it might be\npossible to bypass its filters, because the Go server would interpret the\nheader differently. Worse, if the reverse proxy coalesces requests onto a\nsingle HTTP/1.1 connection to a Go server, the understanding of the request\nboundaries can get out of sync between them, allowing an attacker to tack an\narbitrary method and path onto a request by other clients, including\nauthentication headers unknown to the attacker.\n\nThis was recently presented at multiple security conferences:\nhttps://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn\n\nnet/http servers already reject header keys with invalid characters.\nSimply stop normalizing extra spaces in net/textproto, let it return them\nunchanged like it does for other invalid headers, and let net/http enforce\nRFC 7230, which is HTTP specific. This loses us normalization on the client\nside, but there\u0027s no right answer on the client side anyway, and hiding the\nissue sounds worse than letting the application decide.\n\nFixes CVE-2019-16276\nFixes #34540\n\nChange-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1\nReviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719\nReviewed-by: Brad Fitzpatrick \u003cbradfitz@google.com\u003e\nReviewed-on: https://go-review.googlesource.com/c/go/+/197503\nRun-TryBot: Filippo Valsorda \u003cfilippo@golang.org\u003e\nTryBot-Result: Gobot Gobot \u003cgobot@golang.org\u003e\nReviewed-by: Dmitri Shuralyov \u003cdmitshur@golang.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "61adda2604c89979c4e170912ab5abf615be6808",
      "old_mode": 33188,
      "old_path": "src/net/http/serve_test.go",
      "new_id": "1d1449aa659ef417db74d94a17b1d9c5f13a61b9",
      "new_mode": 33188,
      "new_path": "src/net/http/serve_test.go"
    },
    {
      "type": "modify",
      "old_id": "e94ade5f7fd012e665ed0dada9b64dba5dec9d04",
      "old_mode": 33188,
      "old_path": "src/net/http/transport_test.go",
      "new_id": "d7eef0d94cc51bcf3e0d7f72b8264fb6443b00d7",
      "new_mode": 33188,
      "new_path": "src/net/http/transport_test.go"
    },
    {
      "type": "modify",
      "old_id": "a5cab993b298bfa21a12d0a577da7ab46a0c2ec0",
      "old_mode": 33188,
      "old_path": "src/net/textproto/reader.go",
      "new_id": "87f901b4fce17ee3ee1b03faee0494cc69a9fdf5",
      "new_mode": 33188,
      "new_path": "src/net/textproto/reader.go"
    },
    {
      "type": "modify",
      "old_id": "6ff7eefe914e5d872d2509bfcbe66f28d47b1b63",
      "old_mode": 33188,
      "old_path": "src/net/textproto/reader_test.go",
      "new_id": "97fb1ab028107fb73bb52d1e32158c4ba21bbb46",
      "new_mode": 33188,
      "new_path": "src/net/textproto/reader_test.go"
    }
  ]
}
