Skip to content

v0.3.8

v0.3.8: language: reject excessively large Accept-Language strings
@rolandshoemaker rolandshoemaker tagged this 11 Oct 16:58 
The BCP 47 tag parser has quadratic time complexity due to inherent
aspects of its design. Since the parser is, by design, exposed to
untrusted user input, this can be leveraged to force a program to
consume significant time parsing Accept-Language headers.

The parser cannot be easily rewritten to fix this behavior for
various reasons. Instead the solution implemented in this CL is to
limit the total complexity of tags passed into ParseAcceptLanguage
by limiting the number of dashes in the string to 1000. This should
be more than enough for the majority of real world use cases, where
the number of tags being sent is likely to be in the single digits.

Thanks to the OSS-Fuzz project for discovering this issue and to Adam
Korczynski (ADA Logics) for writing the fuzz case and for reporting the
issue.

Fixes CVE-2022-32149
Fixes golang/go#56152

Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Assets 2
Loading