blob: 968029d6cdeb7ee2c1688dc9e59920f330a07683 [file] [log] [blame]
packages:
- module: std
package: net/textproto
symbols:
- Reader.ReadMimeHeader
versions:
- fixed: 1.12.10
- introduced: 1.13.0
fixed: 1.13.1
description: |
net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
If a Go server is used behind an uncommon reverse proxy that accepts and
forwards but doesn't normalize such invalid headers, the reverse proxy and
the server can interpret the headers differently. This can lead to filter
bypasses or request smuggling, the latter if requests from separate clients
are multiplexed onto the same upstream connection by the proxy. Such
invalid headers are now rejected by Go servers, and passed without
normalization to Go client applications.
cves:
- CVE-2019-16276
credit: Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh)
links:
pr: https://go.dev/cl/197503
commit: https://go.googlesource.com/go/+/41b1f88efab9d263408448bf139659119002ea50
context:
- https://go.dev/issue/34540
- https://groups.google.com/g/golang-announce/c/cszieYyuL9Q/m/g4Z7pKaqAgAJ