Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump x/text to 0.3.8 #2305

Merged
merged 2 commits into from Oct 18, 2022
Merged

bump x/text to 0.3.8 #2305

merged 2 commits into from Oct 18, 2022

Conversation

madmuffin1
Copy link
Contributor

@aldas
Copy link
Contributor

aldas commented Oct 14, 2022
edited

Some information about that problem also.

The BCP 47 tag parser has quadratic time complexity due to inherent
aspects of its design. Since the parser is, by design, exposed to
untrusted user input, this can be leveraged to force a program to
consume significant time parsing Accept-Language headers.

fix was https://go-review.googlesource.com/c/text/+/442235/2/language/parse.go

@aldas
Copy link
Contributor

aldas commented Oct 14, 2022
edited

So I am trying to understand how Echo is affected by it though these dependencies

so far if you have something like in your code you are affected:

  • language.ParseAcceptLanguage(r.Header.Get("Accept-Language")) -- as it uses directly that problematic function
  • language.MatchStrings - function is using internally language.ParseAcceptLanguage function

golang.org/x/net does not seem to have direct dependency to following methods ParseAcceptLanguage or MatchStrings. there are no usages of package golang.org/x/text/language in x/net

golang.org/x/crypto does not use golang.org/x/text directly and is indirectly tied by golang.org/x/net dependency to x/text

@aldas
Copy link
Contributor

aldas commented Oct 14, 2022

@madmuffin1 what do you think? Echo is not directly/indirectly affected because there are no code that links to that problematic function?

@madmuffin1
Copy link
Contributor Author

my take on this: echo is not directly affected, but should not have a vulnerable dependency as implementing projects might refer to the affected method.

our company forbids any library with vulnerable dependencies, so all our echo projects will have to explicitly bump x/text, rather than updating this dependency.

aldas
aldas approved these changes Oct 18, 2022
View reviewed changes
Copy link
Contributor

@aldas aldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aldas
Copy link
Contributor

aldas commented Oct 18, 2022
edited

as golang.org/x/* packages only support last 2 versions and Echo 4 there are times when bumping x/* package is problematic as it could contains symbols that older Go versions do not understand. For example currently bumping x/net to latest would mean dumping Go 1.16 support.

@aldas aldas merged commit 8f2bf82 into labstack:master Oct 18, 2022
@madmuffin1 madmuffin1 deleted the fix/text-3-7-0 branch November 7, 2022 08:34
@aldas aldas mentioned this pull request Dec 27, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aldas aldas aldas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@madmuffin1 @aldas