diff options
| author | Damien Neil <dneil@google.com> | 2021-08-16 10:46:06 -0700 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2021-08-16 20:02:13 +0000 |
| commit | ec271687129dc8b263699b0b9d3abed71d8bd39d (patch) | |
| tree | 6e0a191995c904334d426042b79d0f819548d904 /src/net | |
| parent | d35035f84e5dbe4c740d3f338ba89b41a00e270e (diff) | |
| download | go-ec271687129dc8b263699b0b9d3abed71d8bd39d.tar.gz go-ec271687129dc8b263699b0b9d3abed71d8bd39d.zip | |
net/http: drop headers with invalid keys in Header.Write
Don't let handlers inject unexpected headers by setting keys like:
w.Header().Set("Evil: x\r\nSmuggle", y)
Fixes #47711.
Change-Id: I459ce1c79bc273a84230a0f5b665f81c46dbc672
Reviewed-on: https://go-review.googlesource.com/c/go/+/342530
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Diffstat (limited to 'src/net')
| -rw-r--r-- | src/net/http/header.go | 9 | ||||
| -rw-r--r-- | src/net/http/header_test.go | 13 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/net/http/header.go b/src/net/http/header.go index 4c72dcb2c8..cc9c28e3d0 100644 --- a/src/net/http/header.go +++ b/src/net/http/header.go @@ -13,6 +13,8 @@ import ( "strings" "sync" "time" + + "golang.org/x/net/http/httpguts" ) // A Header represents the key-value pairs in an HTTP header. @@ -192,6 +194,13 @@ func (h Header) writeSubset(w io.Writer, exclude map[string]bool, trace *httptra kvs, sorter := h.sortedKeyValues(exclude) var formattedVals []string for _, kv := range kvs { + if !httpguts.ValidHeaderFieldName(kv.key) { + // This could be an error. In the common case of + // writing reponse headers, however, we have no good + // way to provide the error back to the server + // handler, so just drop invalid headers instead. + continue + } for _, v := range kv.values { v = headerNewlineToSpace.Replace(v) v = textproto.TrimString(v) diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go index 4789362919..57d16f51a5 100644 --- a/src/net/http/header_test.go +++ b/src/net/http/header_test.go @@ -89,6 +89,19 @@ var headerWriteTests = []struct { "k4: 4a\r\nk4: 4b\r\nk6: 6a\r\nk6: 6b\r\n" + "k7: 7a\r\nk7: 7b\r\nk8: 8a\r\nk8: 8b\r\nk9: 9a\r\nk9: 9b\r\n", }, + // Tests invalid characters in headers. + { + Header{ + "Content-Type": {"text/html; charset=UTF-8"}, + "NewlineInValue": {"1\r\nBar: 2"}, + "NewlineInKey\r\n": {"1"}, + "Colon:InKey": {"1"}, + "Evil: 1\r\nSmuggledValue": {"1"}, + }, + nil, + "Content-Type: text/html; charset=UTF-8\r\n" + + "NewlineInValue: 1 Bar: 2\r\n", + }, } func TestHeaderWrite(t *testing.T) { |