crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints [CVE-2024-45341] [1.23 backport] #71208
Comments
gopherbot
added
CherryPickCandidate
|
Change https://go.dev/cl/643103 mentions this issue: |
… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71208 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643103 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
mknyszek
changed the title
dmitshur
added
CherryPickApproved
… URIs When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For golang#71156 Fixes golang#71208 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643103 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>
|
Hi everyone, I believe the new condition: if _, err := netip.ParseAddr(host); err == nil || (strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]")) {
return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
}should use Previously, we checked if net.ParseIP(host) != nil, which explicitly verified that the host was a valid IP. Now, using err == nil with netip.ParseAddr(host) changes the logic. This means that any successfully parsed address triggers the error, which seems incorrect. Shouldn't the condition be: if _, err := netip.ParseAddr(host); err != nil || (strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]")) {
return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
}This would align more closely with the original intent. Let me know if I'm missing something! |
|
The earlier code tested The new code tests So the code seems roughly equivalent. Am I missing something? I don't really know what this code is doing, but the error message suggests that if the URI is an IP address, rather than, say, a domain name, the match of the URI against the constraint will fail. So it is correct to say that if the host can be parsed as an IP address, then the code should return an error. |
@neild requested issue #71156 to be considered for backport to the next 1.23 minor release.
The text was updated successfully, but these errors were encountered: