diff options
author | Damien Neil <dneil@google.com> | 2024-01-11 11:31:57 -0800 |
---|---|---|
committer | Gopher Robot <gobot@golang.org> | 2024-03-05 16:43:48 +0000 |
commit | 3a855208e3efed2e9d7c20ad023f1fa78afcc0be (patch) | |
tree | d69f1b22baeb446a10a68965385d284fa1eaf38b | |
parent | 337b8e9cbfa749d9d5c899e0dc358e2208d5e54f (diff) | |
download | go-3a855208e3efed2e9d7c20ad023f1fa78afcc0be.tar.gz go-3a855208e3efed2e9d7c20ad023f1fa78afcc0be.zip |
[release-branch.go1.22] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones
When deciding whether to forward cookies or sensitive headers
across a redirect, do not attempt to interpret an IPv6 address
as a domain name.
Avoids a case where a maliciously-crafted redirect to an
IPv6 address with a scoped addressing zone could be
misinterpreted as a within-domain redirect. For example,
we could interpret "::1%.www.example.com" as a subdomain
of "www.example.com".
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Fixes CVE-2023-45289
Fixes #65859
For #65065
Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569236
Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
-rw-r--r-- | src/net/http/client.go | 6 | ||||
-rw-r--r-- | src/net/http/client_test.go | 1 | ||||
-rw-r--r-- | src/net/http/cookiejar/jar.go | 7 | ||||
-rw-r--r-- | src/net/http/cookiejar/jar_test.go | 10 |
4 files changed, 24 insertions, 0 deletions
diff --git a/src/net/http/client.go b/src/net/http/client.go index ee6de24fc1..8fc348fe5d 100644 --- a/src/net/http/client.go +++ b/src/net/http/client.go @@ -1014,6 +1014,12 @@ func isDomainOrSubdomain(sub, parent string) bool { if sub == parent { return true } + // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). + // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. + // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". + if strings.ContainsAny(sub, ":%") { + return false + } // If sub is "foo.example.com" and parent is "example.com", // that means sub must end in "."+parent. // Do it without allocating. diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go index 7459b9cb6e..e2a1cbbdea 100644 --- a/src/net/http/client_test.go +++ b/src/net/http/client_test.go @@ -1711,6 +1711,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { {"authorization", "http://foo.com/", "https://foo.com/", true}, {"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true}, {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, + {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, // But subdomains should work: {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go index 59cde82cb3..e7f5ddd4d0 100644 --- a/src/net/http/cookiejar/jar.go +++ b/src/net/http/cookiejar/jar.go @@ -362,6 +362,13 @@ func jarKey(host string, psl PublicSuffixList) string { // isIP reports whether host is an IP address. func isIP(host string) bool { + if strings.ContainsAny(host, ":%") { + // Probable IPv6 address. + // Hostnames can't contain : or %, so this is definitely not a valid host. + // Treating it as an IP is the more conservative option, and avoids the risk + // of interpeting ::1%.www.example.com as a subtomain of www.example.com. + return true + } return net.ParseIP(host) != nil } diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go index 56d0695a66..251f7c1617 100644 --- a/src/net/http/cookiejar/jar_test.go +++ b/src/net/http/cookiejar/jar_test.go @@ -252,6 +252,7 @@ var isIPTests = map[string]bool{ "127.0.0.1": true, "1.2.3.4": true, "2001:4860:0:2001::68": true, + "::1%zone": true, "example.com": false, "1.1.1.300": false, "www.foo.bar.net": false, @@ -629,6 +630,15 @@ var basicsTests = [...]jarTest{ {"http://www.host.test:1234/", "a=1"}, }, }, + { + "IPv6 zone is not treated as a host.", + "https://example.com/", + []string{"a=1"}, + "a=1", + []query{ + {"https://[::1%25.example.com]:80/", ""}, + }, + }, } func TestBasics(t *testing.T) { |