Google Git
Sign in
go / text / 434eadcdbc3b0256971992e8c70027278364c72c
commit434eadcdbc3b0256971992e8c70027278364c72c[log] [tgz]
authorRoland Shoemaker <bracewell@google.com>Fri Sep 02 09:35:37 2022 -0700
committerGopher Robot <gobot@golang.org>Tue Oct 11 16:58:47 2022 +0000
tree6f1747b71d72c69ea13dcaae766a2ebb97b6fb79
parent23407e72ed5b895a2dfd230aec777f4fbe026d6a [diff]
language: reject excessively large Accept-Language strings

The BCP 47 tag parser has quadratic time complexity due to inherent
aspects of its design. Since the parser is, by design, exposed to
untrusted user input, this can be leveraged to force a program to
consume significant time parsing Accept-Language headers.

The parser cannot be easily rewritten to fix this behavior for
various reasons. Instead the solution implemented in this CL is to
limit the total complexity of tags passed into ParseAcceptLanguage
by limiting the number of dashes in the string to 1000. This should
be more than enough for the majority of real world use cases, where
the number of tags being sent is likely to be in the single digits.

Thanks to the OSS-Fuzz project for discovering this issue and to Adam
Korczynski (ADA Logics) for writing the fuzz case and for reporting the
issue.

Fixes CVE-2022-32149
Fixes golang/go#56152

Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
2 files changed
tree: 6f1747b71d72c69ea13dcaae766a2ebb97b6fb79
  1. cases/
  2. cmd/
  3. collate/
  4. currency/
  5. date/
  6. encoding/
  7. feature/
  8. internal/
  9. language/
  10. message/
  11. number/
  12. runes/
  13. search/
  14. secure/
  15. transform/
  16. unicode/
  17. width/
  18. .gitattributes
  19. .gitignore
  20. codereview.cfg
  21. CONTRIBUTING.md
  22. doc.go
  23. gen.go
  24. go.mod
  25. go.sum
  26. LICENSE
  27. PATENTS
  28. README.md
README.md

Go Text

Go Reference

This repository holds supplementary Go libraries for text processing, many involving Unicode.

Semantic Versioning

This repo uses Semantic versioning (http://semver.org/), so

  1. MAJOR version when you make incompatible API changes,
  2. MINOR version when you add functionality in a backwards-compatible manner, and
  3. PATCH version when you make backwards-compatible bug fixes.

Until version 1.0.0 of x/text is reached, the minor version is considered a major version. So going from 0.1.0 to 0.2.0 is considered to be a major version bump.

A major new CLDR version is mapped to a minor version increase in x/text. Any other new CLDR version is mapped to a patch version increase in x/text.

It is important that the Unicode version used in x/text matches the one used by your Go compiler. The x/text repository supports multiple versions of Unicode and will match the version of Unicode to that of the Go compiler. At the moment this is supported for Go compilers from version 1.7.

Download/Install

The easiest way to install is to run go get -u golang.org/x/text. You can also manually git clone the repository to $GOPATH/src/golang.org/x/text.

Contribute

To submit changes to this repository, see http://golang.org/doc/contribute.html.

To generate the tables in this repository (except for the encoding tables), run go generate from this directory. By default tables are generated for the Unicode version in core and the CLDR version defined in golang.org/x/text/unicode/cldr.

Running go generate will as a side effect create a DATA subdirectory in this directory, which holds all files that are used as a source for generating the tables. This directory will also serve as a cache.

Testing

Run

go test ./...

from this directory to run all tests. Add the “-tags icu” flag to also run ICU conformance tests (if available). This requires that you have the correct ICU version installed on your system.

TODO:

  • updating unversioned source files.

Generating Tables

To generate the tables in this repository (except for the encoding tables), run go generate from this directory. By default tables are generated for the Unicode version in core and the CLDR version defined in golang.org/x/text/unicode/cldr.

Running go generate will as a side effect create a DATA subdirectory in this directory which holds all files that are used as a source for generating the tables. This directory will also serve as a cache.

Versions

To update a Unicode version run

UNICODE_VERSION=x.x.x go generate

where x.x.x must correspond to a directory in https://www.unicode.org/Public/. If this version is newer than the version in core it will also update the relevant packages there. The idna package in x/net will always be updated.

To update a CLDR version run

CLDR_VERSION=version go generate

where version must correspond to a directory in https://www.unicode.org/Public/cldr/.

Note that the code gets adapted over time to changes in the data and that backwards compatibility is not maintained. So updating to a different version may not work.

The files in DATA/{iana|icu|w3|whatwg} are currently not versioned.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.

The main issue tracker for the image repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/text:” in the subject line, so it is easy to find.