diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch | 212 |
1 files changed, 212 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch new file mode 100644 index 0000000000..080def4682 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch | |||
@@ -0,0 +1,212 @@ | |||
1 | From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Neil <dneil@google.com> | ||
3 | Date: Wed, 28 Jun 2023 13:20:08 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before | ||
5 | sending | ||
6 | |||
7 | Verify that the Host header we send is valid. | ||
8 | Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" | ||
9 | adding an X-Evil header to HTTP/1 requests. | ||
10 | |||
11 | Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to | ||
12 | header injection in the way HTTP/1 is, but x/net/http2 doesn't validate | ||
13 | the header and will go into a retry loop when the server rejects it. | ||
14 | CL 506995 adds the necessary validation to x/net/http2. | ||
15 | |||
16 | Updates #60374 | ||
17 | Fixes #61075 | ||
18 | For CVE-2023-29406 | ||
19 | |||
20 | Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 | ||
21 | Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 | ||
22 | Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
23 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
24 | Run-TryBot: Damien Neil <dneil@google.com> | ||
25 | (cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2) | ||
26 | Reviewed-on: https://go-review.googlesource.com/c/go/+/507358 | ||
27 | Run-TryBot: Tatiana Bradley <tatianabradley@google.com> | ||
28 | Reviewed-by: Roland Shoemaker <roland@golang.org> | ||
29 | |||
30 | Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b] | ||
31 | CVE: CVE-2023-29406 | ||
32 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
33 | --- | ||
34 | src/net/http/http_test.go | 29 --------------------- | ||
35 | src/net/http/request.go | 47 ++++++++-------------------------- | ||
36 | src/net/http/request_test.go | 11 ++------ | ||
37 | src/net/http/transport_test.go | 18 +++++++++++++ | ||
38 | 4 files changed, 31 insertions(+), 74 deletions(-) | ||
39 | |||
40 | diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go | ||
41 | index f4ea52d..ea38cb4 100644 | ||
42 | --- a/src/net/http/http_test.go | ||
43 | +++ b/src/net/http/http_test.go | ||
44 | @@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) { | ||
45 | } | ||
46 | } | ||
47 | |||
48 | -func TestCleanHost(t *testing.T) { | ||
49 | - tests := []struct { | ||
50 | - in, want string | ||
51 | - }{ | ||
52 | - {"www.google.com", "www.google.com"}, | ||
53 | - {"www.google.com foo", "www.google.com"}, | ||
54 | - {"www.google.com/foo", "www.google.com"}, | ||
55 | - {" first character is a space", ""}, | ||
56 | - {"[1::6]:8080", "[1::6]:8080"}, | ||
57 | - | ||
58 | - // Punycode: | ||
59 | - {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"}, | ||
60 | - {"bücher.de", "xn--bcher-kva.de"}, | ||
61 | - {"bücher.de:8080", "xn--bcher-kva.de:8080"}, | ||
62 | - // Verify we convert to lowercase before punycode: | ||
63 | - {"BÜCHER.de", "xn--bcher-kva.de"}, | ||
64 | - {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"}, | ||
65 | - // Verify we normalize to NFC before punycode: | ||
66 | - {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed | ||
67 | - {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input | ||
68 | - } | ||
69 | - for _, tt := range tests { | ||
70 | - got := cleanHost(tt.in) | ||
71 | - if tt.want != got { | ||
72 | - t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want) | ||
73 | - } | ||
74 | - } | ||
75 | -} | ||
76 | - | ||
77 | // Test that cmd/go doesn't link in the HTTP server. | ||
78 | // | ||
79 | // This catches accidental dependencies between the HTTP transport and | ||
80 | diff --git a/src/net/http/request.go b/src/net/http/request.go | ||
81 | index cb2edd2..2706300 100644 | ||
82 | --- a/src/net/http/request.go | ||
83 | +++ b/src/net/http/request.go | ||
84 | @@ -18,7 +18,6 @@ import ( | ||
85 | "io/ioutil" | ||
86 | "mime" | ||
87 | "mime/multipart" | ||
88 | - "net" | ||
89 | "net/http/httptrace" | ||
90 | "net/textproto" | ||
91 | "net/url" | ||
92 | @@ -26,7 +25,8 @@ import ( | ||
93 | "strconv" | ||
94 | "strings" | ||
95 | "sync" | ||
96 | - | ||
97 | + | ||
98 | + "golang.org/x/net/http/httpguts" | ||
99 | "golang.org/x/net/idna" | ||
100 | ) | ||
101 | |||
102 | @@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF | ||
103 | // is not given, use the host from the request URL. | ||
104 | // | ||
105 | // Clean the host, in case it arrives with unexpected stuff in it. | ||
106 | - host := cleanHost(r.Host) | ||
107 | + host := r.Host | ||
108 | if host == "" { | ||
109 | if r.URL == nil { | ||
110 | return errMissingHost | ||
111 | } | ||
112 | - host = cleanHost(r.URL.Host) | ||
113 | + host = r.URL.Host | ||
114 | + } | ||
115 | + host, err = httpguts.PunycodeHostPort(host) | ||
116 | + if err != nil { | ||
117 | + return err | ||
118 | + } | ||
119 | + if !httpguts.ValidHostHeader(host) { | ||
120 | + return errors.New("http: invalid Host header") | ||
121 | } | ||
122 | |||
123 | // According to RFC 6874, an HTTP client, proxy, or other | ||
124 | @@ -717,38 +724,6 @@ func idnaASCII(v string) (string, error) { | ||
125 | return idna.Lookup.ToASCII(v) | ||
126 | } | ||
127 | |||
128 | -// cleanHost cleans up the host sent in request's Host header. | ||
129 | -// | ||
130 | -// It both strips anything after '/' or ' ', and puts the value | ||
131 | -// into Punycode form, if necessary. | ||
132 | -// | ||
133 | -// Ideally we'd clean the Host header according to the spec: | ||
134 | -// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]") | ||
135 | -// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host) | ||
136 | -// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host) | ||
137 | -// But practically, what we are trying to avoid is the situation in | ||
138 | -// issue 11206, where a malformed Host header used in the proxy context | ||
139 | -// would create a bad request. So it is enough to just truncate at the | ||
140 | -// first offending character. | ||
141 | -func cleanHost(in string) string { | ||
142 | - if i := strings.IndexAny(in, " /"); i != -1 { | ||
143 | - in = in[:i] | ||
144 | - } | ||
145 | - host, port, err := net.SplitHostPort(in) | ||
146 | - if err != nil { // input was just a host | ||
147 | - a, err := idnaASCII(in) | ||
148 | - if err != nil { | ||
149 | - return in // garbage in, garbage out | ||
150 | - } | ||
151 | - return a | ||
152 | - } | ||
153 | - a, err := idnaASCII(host) | ||
154 | - if err != nil { | ||
155 | - return in // garbage in, garbage out | ||
156 | - } | ||
157 | - return net.JoinHostPort(a, port) | ||
158 | -} | ||
159 | - | ||
160 | // removeZone removes IPv6 zone identifier from host. | ||
161 | // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080" | ||
162 | func removeZone(host string) string { | ||
163 | diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go | ||
164 | index 461d66e..0d417ff 100644 | ||
165 | --- a/src/net/http/request_test.go | ||
166 | +++ b/src/net/http/request_test.go | ||
167 | @@ -676,15 +676,8 @@ func TestRequestBadHost(t *testing.T) { | ||
168 | } | ||
169 | req.Host = "foo.com with spaces" | ||
170 | req.URL.Host = "foo.com with spaces" | ||
171 | - req.Write(logWrites{t, &got}) | ||
172 | - want := []string{ | ||
173 | - "GET /after HTTP/1.1\r\n", | ||
174 | - "Host: foo.com\r\n", | ||
175 | - "User-Agent: " + DefaultUserAgent + "\r\n", | ||
176 | - "\r\n", | ||
177 | - } | ||
178 | - if !reflect.DeepEqual(got, want) { | ||
179 | - t.Errorf("Writes = %q\n Want = %q", got, want) | ||
180 | + if err := req.Write(logWrites{t, &got}); err == nil { | ||
181 | + t.Errorf("Writing request with invalid Host: succeded, want error") | ||
182 | } | ||
183 | } | ||
184 | |||
185 | diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go | ||
186 | index fa0c370..0afb6b9 100644 | ||
187 | --- a/src/net/http/transport_test.go | ||
188 | +++ b/src/net/http/transport_test.go | ||
189 | @@ -6249,3 +6249,21 @@ func TestIssue32441(t *testing.T) { | ||
190 | t.Error(err) | ||
191 | } | ||
192 | } | ||
193 | + | ||
194 | +func TestRequestSanitization(t *testing.T) { | ||
195 | + setParallel(t) | ||
196 | + defer afterTest(t) | ||
197 | + | ||
198 | + ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) { | ||
199 | + if h, ok := req.Header["X-Evil"]; ok { | ||
200 | + t.Errorf("request has X-Evil header: %q", h) | ||
201 | + } | ||
202 | + })).ts | ||
203 | + defer ts.Close() | ||
204 | + req, _ := NewRequest("GET", ts.URL, nil) | ||
205 | + req.Host = "go.dev\r\nX-Evil:evil" | ||
206 | + resp, _ := ts.Client().Do(req) | ||
207 | + if resp != nil { | ||
208 | + resp.Body.Close() | ||
209 | + } | ||
210 | +} | ||
211 | -- | ||
212 | 2.25.1 | ||