Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

mime/multipart: limit parsed mime message sizes

Browse source 
The parsed forms of MIME headers and multipart forms can consume
substantially more memory than the size of the input data.
A malicious input containing a very large number of headers or
form parts can cause excessively large memory allocations.

Set limits on the size of MIME data:

Reader.NextPart and Reader.NextRawPart limit the the number
of headers in a part to 10000.

Reader.ReadForm limits the total number of headers in all
FileHeaders to 10000.

Both of these limits may be set with with
GODEBUG=multipartmaxheaders=<values>.

Reader.ReadForm limits the number of parts in a form to 1000.
This limit may be set with GODEBUG=multipartmaxparts=<value>.

Thanks for Jakob Ackermann (@das7pad) for reporting this issue.

For CVE-2023-24536
For #59153

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802455
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Change-Id: I08dd297bd75724aade4b0bd6a7d19aeca5bbf99f
Reviewed-on: https://go-review.googlesource.com/c/go/+/482077
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
This commit is contained in:
Damien Neil 2023-03-20 10:43:19 -07:00 committed by Gopher Robot
parent 3c010f2c21
commit 1e43cfa15b
8 changed files with 165 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

21
src/runtime/metrics/description.go
View file

@ -305,6 +305,27 @@ var allDesc = []Description{
Kind: KindUint64,
Cumulative: true,
},
{
Name: "/godebug/non-default-behavior/multipartfiles:events",
Description: "The number of non-default behaviors executed by the mime/multipart package " +
"due to a non-default GODEBUG=multipartfiles=... setting.",
Kind: KindUint64,
Cumulative: true,
},
{
Name: "/godebug/non-default-behavior/multipartmaxheaders:events",
Description: "The number of non-default behaviors executed by the mime/multipart package " +
"due to a non-default GODEBUG=multipartmaxheaders=... setting.",
Kind: KindUint64,
Cumulative: true,
},
{
Name: "/godebug/non-default-behavior/multipartmaxparts:events",
Description: "The number of non-default behaviors executed by the mime/multipart package " +
"due to a non-default GODEBUG=multipartmaxparts=... setting.",
Kind: KindUint64,
Cumulative: true,
},
{
Name: "/godebug/non-default-behavior/panicnil:events",
Description: "The number of non-default behaviors executed by the runtime package " +