Skip to content

net/http: reject bare LF in chunked encoding [1.23 backport] #72010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Feb 27, 2025 · 2 comments
Closed

net/http: reject bare LF in chunked encoding [1.23 backport] #72010

gopherbot opened this issue Feb 27, 2025 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.23.8

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #71988 to be considered for backport to the next 1.23 minor release.

@gopherbot please open backport issues for this security fix.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Feb 27, 2025
@gopherbot gopherbot mentioned this issue Feb 27, 2025
Closed
@gopherbot gopherbot added this to the Go1.23.7 milestone Feb 27, 2025
@gopherbot gopherbot modified the milestones: Go1.23.7, Go1.23.8 Mar 4, 2025
@JunyangShao JunyangShao added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Mar 5, 2025
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/657216 mentions this issue: [release-branch.go1.23] net/http: reject newlines in chunk-size lines

gopherbot pushed a commit that referenced this issue Mar 17, 2025
@neild @cherrymui
[release-branch.go1.23] net/http: reject newlines in chunk-size lines
15e01a2 
Unlike request headers, where we are allowed to leniently accept
a bare LF in place of a CRLF, chunked bodies must always use CRLF
line terminators. We were already enforcing this for chunk-data lines;
do so for chunk-size lines as well. Also reject bare CRs anywhere
other than as part of the CRLF terminator.

Fixes CVE-2025-22871
Fixes #72010
For #71988

Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
Reviewed-by: Jonathan Amsterdam <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
(cherry picked from commit d31c805)
Reviewed-on: https://go-review.googlesource.com/c/go/+/657216
@gopherbot
Copy link
Contributor Author

Closed by merging CL 657216 (commit 15e01a2) to release-branch.go1.23.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.23.8
Development

No branches or pull requests
3 participants
@dmitshur @gopherbot @JunyangShao