net/http/cgi: reject invalid header names

Being lenient on those has caused enough security issues.

Spun out of CL 231419.

Fixes #38889

Change-Id: Idd3bc6adc22e08a30b3dabb146ce78d4105684cd
Reviewed-on: https://go-review.googlesource.com/c/go/+/232277
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index ee1252fda239d0a41cb99f08b8136b65d9cb23da..d980781416b35233bd529f5596d70e32e2fd287c 100644 (file)
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -448,7 +448,7 @@ var pkgDeps = map[string][]string{
 
        // HTTP-using packages.
        "expvar":             {"L4", "OS", "encoding/json", "net/http"},
-       "net/http/cgi":       {"L4", "NET", "OS", "crypto/tls", "net/http", "regexp"},
+       "net/http/cgi":       {"L4", "NET", "OS", "crypto/tls", "net/http", "regexp", "golang.org/x/net/http/httpguts"},
        "net/http/cookiejar": {"L4", "NET", "net/http"},
        "net/http/fcgi":      {"L4", "NET", "OS", "context", "net/http", "net/http/cgi"},
        "net/http/httptest": {

diff --git a/src/net/http/cgi/host.go b/src/net/http/cgi/host.go
index a038575480a4753ca627afd1c3e35ca9a016c7bd..863f40638ab3412b218c09ef0c4b407c0fe065ff 100644 (file)
--- a/src/net/http/cgi/host.go
+++ b/src/net/http/cgi/host.go
@@ -29,6 +29,8 @@ import (
        "runtime"
        "strconv"
        "strings"
+
+       "golang.org/x/net/http/httpguts"
 )
 
 var trailingPort = regexp.MustCompile(`:([0-9]+)$`)
@@ -277,7 +279,10 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
                        continue
                }
                header, val := parts[0], parts[1]
-               header = textproto.TrimString(header)
+               if !httpguts.ValidHeaderFieldName(header) {
+                       h.printf("cgi: invalid header name: %q", header)
+                       continue
+               }
                val = textproto.TrimString(val)
                switch {
                case header == "Status":