net/http: don't strip whitespace from Transfer-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

Fixes #53188
Fixes CVE-2022-1705

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 464e0f734df4655dd32517405d82421d3b9cd778..cb6312d6412118d629babb18584b6c76606fb13a 100644 (file)
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -6245,6 +6245,7 @@ func TestUnsupportedTransferEncodingsReturn501(t *testing.T) {
                "fugazi",
                "foo-bar",
                "unknown",
+               "\rchunked",
        }
 
        for _, badTE := range unsupportedTEs {

diff --git a/src/net/http/transfer.go b/src/net/http/transfer.go
index 6957b246f34fa035299df797e48b9f000ff3644a..4583c6b453d08500d42824b55cb8467cb3ba6d7a 100644 (file)
--- a/src/net/http/transfer.go
+++ b/src/net/http/transfer.go
@@ -642,7 +642,7 @@ func (t *transferReader) parseTransferEncoding() error {
        if len(raw) != 1 {
                return &unsupportedTEError{fmt.Sprintf("too many transfer encodings: %q", raw)}
        }
-       if !ascii.EqualFold(textproto.TrimString(raw[0]), "chunked") {
+       if !ascii.EqualFold(raw[0], "chunked") {
                return &unsupportedTEError{fmt.Sprintf("unsupported transfer encoding: %q", raw[0])}
        }