|
| 1 | +From b293cbe0fda9dcbedf27b41767d0b19e08ef51c6 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Sindhu Karri <lakarri@microsoft.com> |
| 3 | +Date: Fri, 13 Sep 2024 06:35:51 +0000 |
| 4 | +Subject: [PATCH] Fix CVE-2022-32149 |
| 5 | + |
| 6 | +--- |
| 7 | +From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001 |
| 8 | +From: Roland Shoemaker <bracewell@google.com> |
| 9 | +Date: Fri, 2 Sep 2022 09:35:37 -0700 |
| 10 | +Subject: [PATCH] language: reject excessively large Accept-Language strings |
| 11 | + |
| 12 | +The BCP 47 tag parser has quadratic time complexity due to inherent |
| 13 | +aspects of its design. Since the parser is, by design, exposed to |
| 14 | +untrusted user input, this can be leveraged to force a program to |
| 15 | +consume significant time parsing Accept-Language headers. |
| 16 | + |
| 17 | +The parser cannot be easily rewritten to fix this behavior for |
| 18 | +various reasons. Instead the solution implemented in this CL is to |
| 19 | +limit the total complexity of tags passed into ParseAcceptLanguage |
| 20 | +by limiting the number of dashes in the string to 1000. This should |
| 21 | +be more than enough for the majority of real world use cases, where |
| 22 | +the number of tags being sent is likely to be in the single digits. |
| 23 | + |
| 24 | +Thanks to the OSS-Fuzz project for discovering this issue and to Adam |
| 25 | +Korczynski (ADA Logics) for writing the fuzz case and for reporting the |
| 26 | +issue. |
| 27 | + |
| 28 | +Fixes CVE-2022-32149 |
| 29 | +Fixes golang/go#56152 |
| 30 | + |
| 31 | +Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae |
| 32 | +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112 |
| 33 | +Reviewed-by: Damien Neil <dneil@google.com> |
| 34 | +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> |
| 35 | +Reviewed-on: https://go-review.googlesource.com/c/text/+/442235 |
| 36 | +TryBot-Result: Gopher Robot <gobot@golang.org> |
| 37 | +Auto-Submit: Roland Shoemaker <roland@golang.org> |
| 38 | +Run-TryBot: Roland Shoemaker <roland@golang.org> |
| 39 | +--- |
| 40 | + vendor/golang.org/x/text/language/parse.go | 5 +++++ |
| 41 | + 1 file changed, 5 insertions(+) |
| 42 | + |
| 43 | +diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go |
| 44 | +index 11acfd8..3bba19f 100644 |
| 45 | +--- a/vendor/golang.org/x/text/language/parse.go |
| 46 | ++++ b/vendor/golang.org/x/text/language/parse.go |
| 47 | +@@ -133,6 +133,7 @@ func update(b *language.Builder, part ...interface{}) (err error) { |
| 48 | + } |
| 49 | + |
| 50 | + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") |
| 51 | ++var errTagListTooLarge = errors.New("tag list exceeds max length") |
| 52 | + |
| 53 | + // ParseAcceptLanguage parses the contents of an Accept-Language header as |
| 54 | + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and |
| 55 | +@@ -142,6 +143,10 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") |
| 56 | + // Tags with a weight of zero will be dropped. An error will be returned if the |
| 57 | + // input could not be parsed. |
| 58 | + func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { |
| 59 | ++ if strings.Count(s, "-") > 1000 { |
| 60 | ++ return nil, nil, errTagListTooLarge |
| 61 | ++ } |
| 62 | ++ |
| 63 | + var entry string |
| 64 | + for s != "" { |
| 65 | + if entry, s = split(s, ','); entry == "" { |
| 66 | +-- |
| 67 | +2.33.8 |
| 68 | + |
0 commit comments