Skip to content

G
go
Switch branch/tag
  1. 12 Aug, 2019 2 commits
    • Filippo Valsorda's avatar
      net/url: make Hostname and Port predictable for invalid Host values · 61bb56ad
      Filippo Valsorda authored 
      When Host is not valid per RFC 3986, the behavior of Hostname and Port
was wildly unpredictable, to the point that Host could have a suffix
that didn't appear in neither Hostname nor Port.

This is a security issue when applications are applying checks to Host
and expecting them to be meaningful for the contents of Hostname.

To reduce disruption, this change only aims to guarantee the following
two security-relevant invariants.

* Host is either Hostname or [Hostname] with Port empty, or
  Hostname:Port or [Hostname]:Port.

* Port is only decimals.

The second invariant is the one that's most likely to cause disruption,
but I believe it's important, as it's conceivable an application might
do a suffix check on Host and expect it to be meaningful for the
contents of Hostname (if the suffix is not a valid port).

There are three ways to ensure it.

1) Reject invalid ports in Parse. Note that non-numeric ports are
   already rejected if and only if the host starts with "[".

2) Consider non-numeric ports as part of Hostname, not Port.

3) Allow non-numeric ports, and hope they only flow down to net/http,
   which will reject them (#14353).

This change adopts both 1 and 2. We could do only the latter, but then
these invalid hosts would flow past port checks, like in
http_test.TestTransportRejectsAlphaPort. Non-numeric ports weren't fully
supported anyway, because they were rejected after IPv6 literals, so
this restores consistency. We could do only the former, but at this
point 2) is free and might help with manually constructed Host values
(or if we get something wrong in Parse).

Note that net.SplitHostPort and net.Dial explicitly accept service names
in place of port numbers, but this is an URL package, and RFC 3986,
Section 3.2.3, clearly specifies ports as a number in decimal.

net/http uses a mix of net.SplitHostPort and url.Parse that would
deserve looking into, but in general it seems that it will still accept
service names in Addr fields as they are passed to net.Listen, while
rejecting them in URLs, which feels correct.

This leaves a number of invalid URLs to reject, which however are not
security relevant once the two invariants above hold, so can be done in
Go 1.14: IPv6 literals without brackets (#31024), invalid IPv6 literals,
hostnames with invalid characters, and more.

Tested with 200M executions of go-fuzz and the following Fuzz function.

	u, err := url.Parse(string(data))
	if err != nil {
		return 0
	}
	h := u.Hostname()
	p := u.Port()

	switch u.Host {
	case h + ":" + p:
		return 1
	case "[" + h + "]:" + p:
		return 1
	case h:
		fallthrough
	case "[" + h + "]":
		if p != "" {
			panic("unexpected Port()")
		}
		return 1
	}
	panic("Host is not a variant of [Hostname]:Port")

Fixes CVE-2019-14809
Updates #29098

Change-Id: I7ef40823dab28f29511329fa2d5a7fb10c3ec895
Reviewed-on: https://go-review.googlesource.com/c/go/+/189258Reviewed-by: default avatarIan Lance Taylor <iant@golang.org>
      61bb56ad
    • Filippo Valsorda's avatar
      src/go.mod: sync golang.org/x/net with h2_bundle.go · 45504066
      Filippo Valsorda authored 
      The bundle included changes from a commit after the one referred to by
the go.mod, probably due to cmd/bundle using the GOPATH source.

Identified with the new go/packages based cmd/bundle from CL 189818.

$ go get golang.org/x/net@461777fb6f
$ go mod tidy
$ go mod vendor
$ go generate net/http # with CL 189818

Also, updated the socks_bundle.go generate command to drop obsolete
options and match h2_bundle.go. It caused no output changes.

Updates #32031

Change-Id: I0322d4e842dbfdad749455111072ca4872a62ad4
Reviewed-on: https://go-review.googlesource.com/c/go/+/189897Reviewed-by: default avatarDmitri Shuralyov <dmitshur@golang.org>
      45504066
  3. 11 Aug, 2019 2 commits
  5. 10 Aug, 2019 1 commit
  7. 09 Aug, 2019 4 commits
  9. 08 Aug, 2019 5 commits
  11. 07 Aug, 2019 1 commit
  13. 06 Aug, 2019 5 commits
  15. 05 Aug, 2019 5 commits
  17. 03 Aug, 2019 1 commit
  19. 02 Aug, 2019 8 commits
  21. 01 Aug, 2019 5 commits
  23. 31 Jul, 2019 1 commit
    • Ian Lance Taylor's avatar
      cmd/go: only pass -fsplit-stack to gccgo if supported · 407010ef
      Ian Lance Taylor authored 
      Also add other gccgo options.

This ports CL 45695 and CL 48592 from the gofrontend repo to the gc repo.

CL 45695 (partial entry, other parts out of date and not ported):

    cmd/go: gccgo: consistent results

    Pass the -fdebug-prefix-map and -gno-record-gcc-switches compiler
    options to gccgo to generate consistent results.

CL 48592:

    cmd/go: use gccSupportsFlag for -fsplit-stack

    Don't assume that all (or only) 386/amd64 compilers support
    -fsplit-stack.

Fixes #33108

Change-Id: I61f9e5a67e4fb059f26750e97621d27afa566ec2
Reviewed-on: https://go-review.googlesource.com/c/go/+/187824
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarBryan C. Mills <bcmills@google.com>
      407010ef
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7