Headline

CVE-2017-1000098: net/http: backport "multipart ReadForm close file after copy" to 1.7 · Issue #17965 · golang/go

The net/http package’s Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given “maxMemory” limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

7 years ago

CVE

Open in Source

#google #auth

commit 7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
Author: Michael Fraenkel <[email protected]>
Date:   Wed Oct 5 11:27:34 2016 -0400

    net/http: multipart ReadForm close file after copy
    
    Always close the file regardless of whether the copy succeeds or fails.
    Pass along the close error if the copy succeeds
    
    Fixes #16296
    
    Change-Id: Ib394655b91d25750f029f17b3846d985f673fb50
    Reviewed-on: https://go-review.googlesource.com/30410
    Reviewed-by: Brad Fitzpatrick <[email protected]>
    Run-TryBot: Brad Fitzpatrick <[email protected]>
    TryBot-Result: Gobot Gobot <[email protected]>

Reportedly, it closes a potential DoS vector, exhausting a server’s file descriptors.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago