Vulnerability in golang.org/x/text/language package has been fixed
source link: https://golangtutorial.dev/news/fix-in-golang-text-package/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Vulnerability in golang.org/x/text/language package has been fixed
Recently Adam Korczynski of ADA Logics, discovered a vulnerability in Go language text/language package, which could cause a denial of service attack.
What is the issue? #
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design.
Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers.
Further, an attacker can create a large Accept-Language header, which the ParseAcceptLanguage function will take too much time to parse.
How the issue is fixed? #
This issue tracked by CVE-2022-32149 and #56152
The version v0.3.8 of golang.org/x/text fixes this vulnerability in the golang.org/x/text/language package
Here is the complete details regarding the fix.
var errTagListTooLarge = errors.New("tag list exceeds max length")
func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
defer func() {
if recover() != nil {
tag = nil
q = nil
err = language.ErrSyntax
}
}()
// return error If the string length is high
if strings.Count(s, "-") > 1000 {
return nil, nil, errTagListTooLarge
}
With the above fix ParseAcceptLanguage function reject excessively large Accept-Language strings.
Official announcement #
Here is the Official announcement regarding this fix in golang.org/x/text/language package
Get a short & sweet Go Language tutorials delivered to your inbox every couple of days. No spam ever. Unsubscribe any time.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK