136 字
1 分钟
golang 安全问题
2023-11-21
周报
安全
/
漏洞

golang 安全问题

net/http CRLF漏洞

没有判断:

Terminal window
docker pull golang:1.11.5-alpine3.7
ruri := r.URL.RequestURI()
if usingProxy && r.URL.Scheme != "" && r.URL.Opaque == "" {
  ruri = r.URL.Scheme + "://" + host + ruri
} else if r.Method == "CONNECT" && r.URL.Path == "" {
  // CONNECT requests normally give just the host and port, not a full URL.
  ruri = host
  if r.URL.Opaque != "" {
    ruri = r.URL.Opaque
  }
}
if stringContainsCTLByte(ruri) {
  return errors.New("net/http: can't write control character in Request.URL")
}

移除掉CRLF

// stringContainsCTLByte reports whether s contains any ASCII control character.
func stringContainsCTLByte(s string) bool {
  for i := 0; i < len(s); i++ {
    b := s[i]
    if b < ' ' || b == 0x7f {
      return true
    }
  }
  return false
}

golang 安全问题
https://rayepeng.net/posts/weekpost/golang-安全问题/
作者
Raye
发布于
2023-11-21
许可协议
CC BY-NC-SA 4.0
举头望明月,低头六便士——记吾非書店
周报21 惠州、新域名与阅读分享
© 2025 Raye. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari