golang security issues

Nov 20, 2023#安全 #漏洞128

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The code is checking for a CRLF vulnerability in the net/http package. It pulls the golang:1.11.5-alpine3.7 image and then checks if the request URI contains any control characters. If it does, an error is returned. The code also includes a function to check if a string contains any ASCII control characters.

net/http CRLF Vulnerability#

Not judged:

docker pull golang:1.11.5-alpine3.7

ruri := r.URL.RequestURI()
if usingProxy && r.URL.Scheme != "" && r.URL.Opaque == "" {
	ruri = r.URL.Scheme + "://" + host + ruri
} else if r.Method == "CONNECT" && r.URL.Path == "" {
	// CONNECT requests normally give just the host and port, not a full URL.
	ruri = host
	if r.URL.Opaque != "" {
		ruri = r.URL.Opaque
	}
}
if stringContainsCTLByte(ruri) {
	return errors.New("net/http: can't write control character in Request.URL")
}

Remove CRLF

// stringContainsCTLByte reports whether s contains any ASCII control character.
func stringContainsCTLByte(s string) bool {
	for i := 0; i < len(s); i++ {
		b := s[i]
		if b < ' ' || b == 0x7f {
			return true
		}
	}
	return false
}