commit b17fd8e49d24eb298c53de5cd0a8923f1e0270ba [browse]
Author: Filippo Valsorda
Date: 2019-09-25 13:34:27 -04:00

[release-branch.go1.13-security] go1.13.1

Change-Id: I371ff39537fc617a2462cc947dd717b53ede7bcc
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558790
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 13fe59bfdaf6c43a75fe4a0ffe9815d72fdd82dd [browse]
Author: Andrew
Date: 2019-09-03 16:00:13 -04:00

[release-branch.go1.13-security] doc: add Go 1.13 to release history

Change-Id: I3340561c0b17bf28d8d480e00f5bc8afb2a897ef
Reviewed-on: https://go-review.googlesource.com/c/go/+/193042
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558786
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 5a6ab1ec3e678640befebeb3318b746a64ad986c [browse]
Author: Filippo Valsorda
Date: 2019-09-12 12:37:36 -04:00

[release-branch.go1.13-security] net/textproto: don't normalize headers with spaces before the colon

RFC 7230 is clear about headers with a space before the colon, like

X-Answer : 42

being invalid, but we've been accepting and normalizing them for compatibility
purposes since CL 5690059 in 2012.

On the client side, this is harmless and indeed most browsers behave the same
to this day. On the server side, this becomes a security issue when the
behavior doesn't match that of a reverse proxy sitting in front of the server.

For example, if a WAF accepts them without normalizing them, it might be
possible to bypass its filters, because the Go server would interpret the
header differently. Worse, if the reverse proxy coalesces requests onto a
single HTTP/1.1 connection to a Go server, the understanding of the request
boundaries can get out of sync between them, allowing an attacker to tack an
arbitrary method and path onto a request by other clients, including
authentication headers unknown to the attacker.

This was recently presented at multiple security conferences:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn

net/http servers already reject header keys with invalid characters.
Simply stop normalizing extra spaces in net/textproto, let it return them
unchanged like it does for other invalid headers, and let net/http enforce
RFC 7230, which is HTTP specific. This loses us normalization on the client
side, but there's no right answer on the client side anyway, and hiding the
issue sounds worse than letting the application decide.

Fixes CVE-2019-16276

Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719
Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558935
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit c58577b6c902eee40d68b1118850bdcff175040a [browse]
Author: Filippo Valsorda
Date: 2019-09-25 11:18:50 -04:00

[release-branch.go1.13-security] doc: document Go 1.13.1 and Go 1.12.10

Change-Id: If694ce529393b8ae9c6c55270665efc3a108a3b2
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558783
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit cc8838d645b2b7026c1f3aaceb011775c5ca3a08 [browse]
Author: Andrew Bonventre
Date: 2019-09-03 12:38:31 -04:00

[release-branch.go1.13] go1.13

Change-Id: Iad80da6df9a6f9a39458e1060bed3557a5ed89a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/193037
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>