Unfortunately this patch fails to apply: Applying: golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters error: sha1 information is lacking or useless (meta/recipes-devtools/go/go-1.17.13.inc). error: could not build fake ancestor Patch failed at 0001 golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters
Steve On Mon, Nov 7, 2022 at 10:13 PM Hitendra Prajapati <[email protected]> wrote: > > Upstream-Status: Backport from > https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e > > Signed-off-by: Hitendra Prajapati <[email protected]> > --- > meta/recipes-devtools/go/go-1.17.13.inc | 1 + > .../go/go-1.18/CVE-2022-2880.patch | 164 ++++++++++++++++++ > 2 files changed, 165 insertions(+) > create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-2880.patch > > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc > b/meta/recipes-devtools/go/go-1.17.13.inc > index b9129e3d75..8230cf2187 100644 > --- a/meta/recipes-devtools/go/go-1.17.13.inc > +++ b/meta/recipes-devtools/go/go-1.17.13.inc > @@ -18,6 +18,7 @@ SRC_URI += "\ > file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ > file://CVE-2022-27664.patch \ > file://CVE-2022-41715.patch \ > + file://CVE-2022-2880.patch \ > " > SRC_URI[main.sha256sum] = > "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" > > diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-2880.patch > b/meta/recipes-devtools/go/go-1.18/CVE-2022-2880.patch > new file mode 100644 > index 0000000000..ef274a8543 > --- /dev/null > +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-2880.patch > @@ -0,0 +1,164 @@ > +From f91f888dd6f10e3c776d4a6b8b776241cca67a9e Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <[email protected]> > +Date: Tue, 8 Nov 2022 10:35:06 +0530 > +Subject: [PATCH] CVE-2022-2880 > + > +Upstream-Status: Backport > [https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e] > +CVE: CVE-2022-2880 > +Signed-off-by: Hitendra Prajapati <[email protected]> > + > +net/http/httputil: avoid query parameter > + > +Query parameter smuggling occurs when a proxy's interpretation > +of query parameters differs from that of a downstream server. > +Change ReverseProxy to avoid forwarding ignored query parameters. > + > +Remove unparsable query parameters from the outbound request > + > + * if req.Form != nil after calling ReverseProxy.Director; and > + * before calling ReverseProxy.Rewrite. > + > +This change preserves the existing behavior of forwarding the > +raw query untouched if a Director hook does not parse the query > +by calling Request.ParseForm (possibly indirectly). > +--- > + src/net/http/httputil/reverseproxy.go | 36 +++++++++++ > + src/net/http/httputil/reverseproxy_test.go | 74 ++++++++++++++++++++++ > + 2 files changed, 110 insertions(+) > + > +diff --git a/src/net/http/httputil/reverseproxy.go > b/src/net/http/httputil/reverseproxy.go > +index 8b63368..c76eec6 100644 > +--- a/src/net/http/httputil/reverseproxy.go > ++++ b/src/net/http/httputil/reverseproxy.go > +@@ -249,6 +249,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, > req *http.Request) { > + } > + > + p.Director(outreq) > ++ if outreq.Form != nil { > ++ outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery) > ++ } > + outreq.Close = false > + > + reqUpType := upgradeType(outreq.Header) > +@@ -628,3 +631,36 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- > error) { > + _, err := io.Copy(c.backend, c.user) > + errc <- err > + } > ++ > ++func cleanQueryParams(s string) string { > ++ reencode := func(s string) string { > ++ v, _ := url.ParseQuery(s) > ++ return v.Encode() > ++ } > ++ for i := 0; i < len(s); { > ++ switch s[i] { > ++ case ';': > ++ return reencode(s) > ++ case '%': > ++ if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) { > ++ return reencode(s) > ++ } > ++ i += 3 > ++ default: > ++ i++ > ++ } > ++ } > ++ return s > ++} > ++ > ++func ishex(c byte) bool { > ++ switch { > ++ case '0' <= c && c <= '9': > ++ return true > ++ case 'a' <= c && c <= 'f': > ++ return true > ++ case 'A' <= c && c <= 'F': > ++ return true > ++ } > ++ return false > ++} > +diff --git a/src/net/http/httputil/reverseproxy_test.go > b/src/net/http/httputil/reverseproxy_test.go > +index 4b6ad77..8c0a4f1 100644 > +--- a/src/net/http/httputil/reverseproxy_test.go > ++++ b/src/net/http/httputil/reverseproxy_test.go > +@@ -1517,3 +1517,77 @@ func TestJoinURLPath(t *testing.T) { > + } > + } > + } > ++ > ++const ( > ++ testWantsCleanQuery = true > ++ testWantsRawQuery = false > ++) > ++ > ++func TestReverseProxyQueryParameterSmugglingDirectorDoesNotParseForm(t > *testing.T) { > ++ testReverseProxyQueryParameterSmuggling(t, testWantsRawQuery, func(u > *url.URL) *ReverseProxy { > ++ proxyHandler := NewSingleHostReverseProxy(u) > ++ oldDirector := proxyHandler.Director > ++ proxyHandler.Director = func(r *http.Request) { > ++ oldDirector(r) > ++ } > ++ return proxyHandler > ++ }) > ++} > ++ > ++func TestReverseProxyQueryParameterSmugglingDirectorParsesForm(t > *testing.T) { > ++ testReverseProxyQueryParameterSmuggling(t, testWantsCleanQuery, > func(u *url.URL) *ReverseProxy { > ++ proxyHandler := NewSingleHostReverseProxy(u) > ++ oldDirector := proxyHandler.Director > ++ proxyHandler.Director = func(r *http.Request) { > ++ // Parsing the form causes ReverseProxy to remove > unparsable > ++ // query parameters before forwarding. > ++ r.FormValue("a") > ++ oldDirector(r) > ++ } > ++ return proxyHandler > ++ }) > ++} > ++ > ++func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery > bool, newProxy func(*url.URL) *ReverseProxy) { > ++ const content = "response_content" > ++ backend := httptest.NewServer(http.HandlerFunc(func(w > http.ResponseWriter, r *http.Request) { > ++ w.Write([]byte(r.URL.RawQuery)) > ++ })) > ++ defer backend.Close() > ++ backendURL, err := url.Parse(backend.URL) > ++ if err != nil { > ++ t.Fatal(err) > ++ } > ++ proxyHandler := newProxy(backendURL) > ++ frontend := httptest.NewServer(proxyHandler) > ++ defer frontend.Close() > ++ > ++ // Don't spam output with logs of queries containing semicolons. > ++ backend.Config.ErrorLog = log.New(io.Discard, "", 0) > ++ frontend.Config.ErrorLog = log.New(io.Discard, "", 0) > ++ > ++ for _, test := range []struct { > ++ rawQuery string > ++ cleanQuery string > ++ }{{ > ++ rawQuery: "a=1&a=2;b=3", > ++ cleanQuery: "a=1", > ++ }, { > ++ rawQuery: "a=1&a=%zz&b=3", > ++ cleanQuery: "a=1&b=3", > ++ }} { > ++ res, err := frontend.Client().Get(frontend.URL + "?" + > test.rawQuery) > ++ if err != nil { > ++ t.Fatalf("Get: %v", err) > ++ } > ++ defer res.Body.Close() > ++ body, _ := io.ReadAll(res.Body) > ++ wantQuery := test.rawQuery > ++ if wantCleanQuery { > ++ wantQuery = test.cleanQuery > ++ } > ++ if got, want := string(body), wantQuery; got != want { > ++ t.Errorf("proxy forwarded raw query %q as %q, want > %q", test.rawQuery, got, want) > ++ } > ++ } > ++} > +-- > +2.25.1 > + > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173079): https://lists.openembedded.org/g/openembedded-core/message/173079 Mute This Topic: https://lists.openembedded.org/mt/94886241/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
