Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] CRLF Header Splitting #875

Closed
Fenny opened this issue Sep 9, 2020 · 3 comments
Closed

[Security] CRLF Header Splitting #875

Fenny opened this issue Sep 9, 2020 · 3 comments
Labels
help wanted pending/development

Comments

@Fenny
Copy link
Contributor

Fenny commented Sep 9, 2020
edited
Loading

The default library seems to serialize &%0d%0a replace it with empty spaces 

// net/http
func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		q := r.URL.Query().Get("redirect")
		w.Header().Set("Location", q)
	})
}
// GET http://localhost:3000/?redirect=foo%0d%0aSet-Cookie:%20SESSIONID=MaliciousValue%0d%0a

// HTTP/1.1 200 OK
// Location: foo  Set-Cookie: SESSIONID=MaliciousValue
// Date: Wed, 09 Sep 2020 13:17:50 GMT
// Content-Length: 0

Where fasthttp does not, I'm wondering if this should be either documented or fixed asap.

// fasthttp
func main() {
	fasthttp.ListenAndServe(":3000", func(c *fasthttp.RequestCtx) {
		q := string(c.QueryArgs().Peek("redirect"))
		c.Response.Header.Set("Location", q)
	})
}
// GET http://localhost:3000/?redirect=foo%0d%0aSet-Cookie:%20SESSIONID=MaliciousValue%0d%0a

// HTTP/1.1 200 OK
// Server: fasthttp
// Date: Wed, 09 Sep 2020 13:18:12 GMT
// Content-Length: 0
// Location: foo
// Set-Cookie: SESSIONID=MaliciousValue
@erikdubbelboer
Copy link
Collaborator

I think this should be documented. net/http seems to make sure that header values don't contain newlines. I don't think fasthttp users want to have this overhead. The fasthttp API is much more raw which allows it to be faster.

kirillDanshin added a commit that referenced this issue Nov 8, 2020
@kirillDanshin
fix issue #875
61f1899 
Signed-off-by: Kirill Danshin <kirill@danshin.pro>
@Fenny
Copy link
Contributor Author

Fenny commented Dec 9, 2020

Possible to merge #909 and close this issue? Thanks @erikdubbelboer

erikdubbelboer added a commit that referenced this issue Dec 9, 2020
@kirillDanshin @ReneWerner87
@Fenny @erikdubbelboer
fix issue #875 (#909)
d0dfbd4 
* 🐞 panic in fs.go #824

* fix issue #875

Signed-off-by: Kirill Danshin <kirill@danshin.pro>

* improve issue 875

Co-authored-by: Fenny <fenny@gofiber.io>

* Update header.go

* Update header.go

Co-authored-by: Kirill Danshin <kirill@danshin.pro>

* remove foldReplacer

* Improve removeNewLines

Start replacing at the first character found, use bytes.Indexbyte to
make the function signature more logical. Both bytes.indexByte and
strings.IndexByte use exactly the same code:
https://github.com/golang/go/blob/0c703b37dffe74d3fffc04347884bb0ee2fba5b3/src/internal/bytealg/indexbyte_amd64.s#L8-L20

Co-authored-by: wernerr <rene.werner@verivox.com>
Co-authored-by: wernerr <rene@gofiber.io>
Co-authored-by: Fenny <fenny@gofiber.io>
Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
@erikdubbelboer
Copy link
Collaborator

It's merged, I'll tag a release.

@dalf dalf mentioned this issue Oct 28, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted pending/development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erikdubbelboer @Fenny