66 строки
2.6 KiB
Diff
66 строки
2.6 KiB
Diff
From a47ab91255e04dda4ca0d734afef58216c7479a2 Mon Sep 17 00:00:00 2001
|
|
From: Roland Shoemaker <bracewell@google.com>
|
|
Date: Fri, 2 Sep 2022 09:35:37 -0700
|
|
Subject: [PATCH] language: reject excessively large Accept-Language strings
|
|
|
|
Backported to apply on vendor direcotry by @mfrw
|
|
|
|
The BCP 47 tag parser has quadratic time complexity due to inherent
|
|
aspects of its design. Since the parser is, by design, exposed to
|
|
untrusted user input, this can be leveraged to force a program to
|
|
consume significant time parsing Accept-Language headers.
|
|
|
|
The parser cannot be easily rewritten to fix this behavior for
|
|
various reasons. Instead the solution implemented in this CL is to
|
|
limit the total complexity of tags passed into ParseAcceptLanguage
|
|
by limiting the number of dashes in the string to 1000. This should
|
|
be more than enough for the majority of real world use cases, where
|
|
the number of tags being sent is likely to be in the single digits.
|
|
|
|
Thanks to the OSS-Fuzz project for discovering this issue and to Adam
|
|
Korczynski (ADA Logics) for writing the fuzz case and for reporting the
|
|
issue.
|
|
|
|
Fixes CVE-2022-32149
|
|
Fixes golang/go#56152
|
|
|
|
Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
|
|
Reviewed-by: Damien Neil <dneil@google.com>
|
|
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
|
Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
|
|
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
|
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
|
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
|
|
---
|
|
vendor/golang.org/x/text/language/parse.go | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
|
|
index 59b0410..b982d9e 100644
|
|
--- a/vendor/golang.org/x/text/language/parse.go
|
|
+++ b/vendor/golang.org/x/text/language/parse.go
|
|
@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
|
|
}
|
|
|
|
var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
|
|
+var errTagListTooLarge = errors.New("tag list exceeds max length")
|
|
|
|
// ParseAcceptLanguage parses the contents of an Accept-Language header as
|
|
// defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
|
|
@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
|
|
}
|
|
}()
|
|
|
|
+ if strings.Count(s, "-") > 1000 {
|
|
+ return nil, nil, errTagListTooLarge
|
|
+ }
|
|
+
|
|
var entry string
|
|
for s != "" {
|
|
if entry, s = split(s, ','); entry == "" {
|
|
--
|
|
2.40.1
|
|
|