Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
The Docker CLI
6,385 Commits 11 Branches 241 Tags 240 MiB
Go 91.3%
Shell 5.8%
Go-Checksums 1.3%
Dockerfile 1.1%
Makefile 0.3%
Other 0.2%
Go to file
Sebastiaan van Stijn 8743e36a45
bump golang 1.12.10 (CVE-2019-16276) 
full diff: https://github.com/golang/go/compare/go1.12.9...go1.12.10

```
Hi gophers,

We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.1).

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

The issue is CVE-2019-16276 and Go issue golang.org/issue/34540.

Thanks to Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh) for discovering and reporting this issue.

Downloads are available at https://golang.org/dl for all supported platforms.

Alla prossima,
Filippo on behalf of the Go team
```

From the patch: 6e6f4aaf70

```
net/textproto: don't normalize headers with spaces before the colon

RFC 7230 is clear about headers with a space before the colon, like

X-Answer : 42

being invalid, but we've been accepting and normalizing them for compatibility
purposes since CL 5690059 in 2012.

On the client side, this is harmless and indeed most browsers behave the same
to this day. On the server side, this becomes a security issue when the
behavior doesn't match that of a reverse proxy sitting in front of the server.

For example, if a WAF accepts them without normalizing them, it might be
possible to bypass its filters, because the Go server would interpret the
header differently. Worse, if the reverse proxy coalesces requests onto a
single HTTP/1.1 connection to a Go server, the understanding of the request
boundaries can get out of sync between them, allowing an attacker to tack an
arbitrary method and path onto a request by other clients, including
authentication headers unknown to the attacker.

This was recently presented at multiple security conferences:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn

net/http servers already reject header keys with invalid characters.
Simply stop normalizing extra spaces in net/textproto, let it return them
unchanged like it does for other invalid headers, and let net/http enforce
RFC 7230, which is HTTP specific. This loses us normalization on the client
side, but there's no right answer on the client side anyway, and hiding the
issue sounds worse than letting the application decide.
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 		2019-09-27 23:30:54 +02:00
.github Remove myself from codeowners 😅 2019-01-10 17:32:07 +01:00
cli Merge pull request #2103 from tiborvass/buildkit-vendor 2019-09-24 19:27:49 -07:00
cli-plugins cli-plugins: add test names for easier debugging 2019-05-22 15:35:34 +00:00
cmd/docker Use command.Cli instead of command.DockerCli 2019-04-26 15:43:03 +01:00
contrib/completion Add riscv64 to manifest annotation and bash completion 2019-09-10 13:00:23 -03:00
dockerfiles bump golang 1.12.10 (CVE-2019-16276) 2019-09-27 23:30:54 +02:00
docs Clarifying docker config rules 2019-09-16 10:22:20 -07:00
e2e TestSigProxyWithTTY: fix 2019-07-30 17:40:31 -07:00
experimental Fix link to Kubernetes blog 2018-12-29 01:39:54 +01:00
internal context: produce consistent output on `context create`. 2019-05-13 16:42:03 +01:00
kubernetes Use underlying `NewKubernetesConfig` directly from compose-on-kubernetes. 2019-05-14 15:43:15 +01:00
man Fix phrasing when referring to the freezer cgroup 2019-08-18 13:55:20 +02:00
opts Adjust tests for changes in Go 1.12.8 / 1.11.13 2019-08-14 10:04:43 +02:00
scripts Support GOARM and windows .exe in binary target 2019-05-06 10:43:18 -07:00
service/logs Update tests to use gotest.tools 👼 2018-06-08 18:24:26 +02:00
templates Update tests to use gotest.tools 👼 2018-06-08 18:24:26 +02:00
types Remove unused helath check func 2018-10-02 20:52:34 +02:00
vendor vendor: update buildkit to 10cef0c and fsutil 7f9f923 2019-09-24 00:11:38 +00:00
.dockerignore Update dockerignore 2019-08-12 11:28:57 +02:00
.gitignore Update gitignore 2017-09-27 16:45:35 +02:00
.mailmap Update AUTHORS and mailmap 2019-08-11 21:53:44 +02:00
AUTHORS Update AUTHORS and mailmap 2019-08-11 21:53:44 +02:00
CONTRIBUTING.md Add Contribution guidelines 2017-07-28 11:33:19 -07:00
Jenkinsfile e2e: enable buildkit 2019-08-12 11:29:04 +02:00
LICENSE Add project files 2017-04-17 17:49:33 -04:00
MAINTAINERS Remove outdated completion reviewers file 2018-08-01 15:08:36 +02:00
Makefile Add docker-compose schema v3.9 2019-08-30 10:58:05 +02:00
NOTICE switch kr/pty to creack/pty v1.1.7 2019-07-29 16:45:41 -07:00
README.md Add jenkins build status to readme 2017-09-15 15:08:28 +02:00
TESTING.md Update TESTING.md to replace testify by gotest.tools 2018-07-02 09:24:28 +02:00
VERSION Bump version to 19.09.0-dev 2019-05-10 17:30:44 -07:00
appveyor.yml bump golang 1.12.10 (CVE-2019-16276) 2019-09-27 23:30:54 +02:00
circle.yml Circle-CI: use progress=plain 2019-08-12 11:29:02 +02:00
codecov.yml Fix PR comments 2018-01-03 10:23:32 +01:00
docker.Makefile Add docker-compose schema v3.9 2019-08-30 10:58:05 +02:00
gometalinter.json Add support for kubernetes in docker cli 2017-12-26 11:22:32 +01:00
poule.yml Add github templates and initial poule configuration 2017-05-09 16:57:46 +02:00
vendor.conf vendor: update buildkit to 10cef0c and fsutil 7f9f923 2019-09-24 00:11:38 +00:00

README.md

build status Build Status

docker/cli

This repository is the home of the cli used in the Docker CE and Docker EE products.

Development

docker/cli is developed using Docker.

Build a linux binary:

$ make -f docker.Makefile binary

Build binaries for all supported platforms:

$ make -f docker.Makefile cross

Run all linting:

$ make -f docker.Makefile lint

List all the available targets:

$ make help

In-container development environment

Start an interactive development environment:

$ make -f docker.Makefile shell

In the development environment you can run many tasks, including build binaries:

$ make binary

Legal

Brought to you courtesy of our legal counsel. For more context, please see the NOTICE document in this repo.

Use and transfer of Docker may be subject to certain restrictions by the United States and other governments.

It is your responsibility to ensure that your use and/or transfer does not violate applicable laws.

For more information, please see https://www.bis.doc.gov

Licensing

docker/cli is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.