@neild requested issue #67555 to be considered for backport to the next 1.22 minor release.
@gopherbot please open backport issues. This is a significant bug with no workaround.
Comment From: gabyhelp
Similar Issues
- net/http: `expect: 100-continue` handling is broken in various ways [1.21 backport] #68199
- x/net/http2: Client doesn't send body until ExpectContinueTimeout expires [1.16 backport] #49904
- x/net/http2: Client doesn't send body until ExpectContinueTimeout expires [1.17 backport] #49905
- net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 [1.21 backport] #66697
- net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 [1.22 backport] #66698
- x/net/http2: frequent failures in TestClientConnCloseAtBody [1.16 backport] #49910
- x/net/http2: frequent failures in TestClientConnCloseAtBody [1.17 backport] #49911
- net/http: HTTP/2 response body Close method sometimes returns spurious context cancelation error (1.17.3 regression) [1.16 backport] #49558
- net/http: HTTP/2 response body Close method sometimes returns spurious context cancelation error (1.17.3 regression) [1.17 backport] #49559
- net/http: context cancellation can leave HTTP client with deadlocked HTTP/1.1 connections in Go1.22 [1.22 backport] #65759
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Comment From: gopherbot
Change https://go.dev/cl/595235 mentions this issue: [release-branch.go1.22] net/http: send body or close connection on expect-100-continue requests
Comment From: gopherbot
Closed by merging 32229514396234a25d910ab26a4e5194671a2c9f to release-branch.go1.22.
Comment From: ldemailly
is this the security fix? how is it a security issue? any details now that 1.22.5 is released?
Comment From: ldemailly
ah ic from the email:
net/http: denial of service due to improper 100-continue handling The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Thanks to Geoff Franks for reporting this issue. This is CVE-2024-24791
Comment From: thanm
From the security team related to this issue:
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Thanks to Geoff Franks for reporting this issue.
This is CVE-2024-24791.