|
| 1 | +From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001 |
| 2 | +From: Roland Shoemaker <bracewell@google.com> |
| 3 | +Date: Fri, 2 Sep 2022 09:35:37 -0700 |
| 4 | +Subject: [PATCH] language: reject excessively large Accept-Language strings |
| 5 | + |
| 6 | +The BCP 47 tag parser has quadratic time complexity due to inherent |
| 7 | +aspects of its design. Since the parser is, by design, exposed to |
| 8 | +untrusted user input, this can be leveraged to force a program to |
| 9 | +consume significant time parsing Accept-Language headers. |
| 10 | + |
| 11 | +The parser cannot be easily rewritten to fix this behavior for |
| 12 | +various reasons. Instead the solution implemented in this CL is to |
| 13 | +limit the total complexity of tags passed into ParseAcceptLanguage |
| 14 | +by limiting the number of dashes in the string to 1000. This should |
| 15 | +be more than enough for the majority of real world use cases, where |
| 16 | +the number of tags being sent is likely to be in the single digits. |
| 17 | + |
| 18 | +Thanks to the OSS-Fuzz project for discovering this issue and to Adam |
| 19 | +Korczynski (ADA Logics) for writing the fuzz case and for reporting the |
| 20 | +issue. |
| 21 | + |
| 22 | +Fixes CVE-2022-32149 |
| 23 | +Fixes golang/go#56152 |
| 24 | + |
| 25 | +Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae |
| 26 | +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112 |
| 27 | +Reviewed-by: Damien Neil <dneil@google.com> |
| 28 | +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> |
| 29 | +Reviewed-on: https://go-review.googlesource.com/c/text/+/442235 |
| 30 | +TryBot-Result: Gopher Robot <gobot@golang.org> |
| 31 | +Auto-Submit: Roland Shoemaker <roland@golang.org> |
| 32 | +Run-TryBot: Roland Shoemaker <roland@golang.org> |
| 33 | +--- |
| 34 | + vendor/golang.org/x/text/language/parse.go | 5 +++++ |
| 35 | + 1 files changed, 5 insertions(+) |
| 36 | + |
| 37 | +diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go |
| 38 | +index 59b04100..b982d9e4 100644 |
| 39 | +--- a/vendor/golang.org/x/text/language/parse.go |
| 40 | ++++ b/vendor/golang.org/x/text/language/parse.go |
| 41 | +@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) { |
| 42 | + } |
| 43 | + |
| 44 | + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") |
| 45 | ++var errTagListTooLarge = errors.New("tag list exceeds max length") |
| 46 | + |
| 47 | + // ParseAcceptLanguage parses the contents of an Accept-Language header as |
| 48 | + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and |
| 49 | +@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { |
| 50 | + } |
| 51 | + }() |
| 52 | + |
| 53 | ++ if strings.Count(s, "-") > 1000 { |
| 54 | ++ return nil, nil, errTagListTooLarge |
| 55 | ++ } |
| 56 | ++ |
| 57 | + var entry string |
| 58 | + for s != "" { |
| 59 | + if entry, s = split(s, ','); entry == "" { |
0 commit comments