rebase: ParseAcceptLanguage takes a long time to parse complex tags

A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Version v0.3.8 of golang.org/x/text fixes a vulnerability. See-also: https://go.dev/issue/56152 See-also: https://bugzilla.redhat.com/CVE-2022-32149 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 18:43:34 +00:00 · 2022-10-17 08:49:59 +02:00
parent b3837d44ce
commit e08005f402
27 changed files with 667 additions and 583 deletions
--- a/vendor/golang.org/x/text/language/doc.go
+++ b/vendor/golang.org/x/text/language/doc.go
@ -10,18 +10,17 @@
 // and provides the user with the best experience
 // (see https://blog.golang.org/matchlang).
 //
-//
-// Matching preferred against supported languages
+// # Matching preferred against supported languages
 //
 // A Matcher for an application that supports English, Australian English,
 // Danish, and standard Mandarin can be created as follows:
 //
-//    var matcher = language.NewMatcher([]language.Tag{
-//        language.English,   // The first language is used as fallback.
-//        language.MustParse("en-AU"),
-//        language.Danish,
-//        language.Chinese,
-//    })
+//	var matcher = language.NewMatcher([]language.Tag{
+//	    language.English,   // The first language is used as fallback.
+//	    language.MustParse("en-AU"),
+//	    language.Danish,
+//	    language.Chinese,
+//	})
 //
 // This list of supported languages is typically implied by the languages for
 // which there exists translations of the user interface.
@ -30,14 +29,14 @@
 // language tags.
 // The MatchString finds best matches for such strings:
 //
-//    handler(w http.ResponseWriter, r *http.Request) {
-//        lang, _ := r.Cookie("lang")
-//        accept := r.Header.Get("Accept-Language")
-//        tag, _ := language.MatchStrings(matcher, lang.String(), accept)
+//	handler(w http.ResponseWriter, r *http.Request) {
+//	    lang, _ := r.Cookie("lang")
+//	    accept := r.Header.Get("Accept-Language")
+//	    tag, _ := language.MatchStrings(matcher, lang.String(), accept)
 //
-//        // tag should now be used for the initialization of any
-//        // locale-specific service.
-//    }
+//	    // tag should now be used for the initialization of any
+//	    // locale-specific service.
+//	}
 //
 // The Matcher's Match method can be used to match Tags directly.
 //
@ -48,8 +47,7 @@
 // For instance, it will know that a reader of Bokmål Danish can read Norwegian
 // and will know that Cantonese ("yue") is a good match for "zh-HK".
 //
-//
-// Using match results
+// # Using match results
 //
 // To guarantee a consistent user experience to the user it is important to
 // use the same language tag for the selection of any locale-specific services.
@ -58,9 +56,9 @@
 // More subtly confusing is using the wrong sorting order or casing
 // algorithm for a certain language.
 //
-//    All the packages in x/text that provide locale-specific services
-//    (e.g. collate, cases) should be initialized with the tag that was
-//    obtained at the start of an interaction with the user.
+// All the packages in x/text that provide locale-specific services
+// (e.g. collate, cases) should be initialized with the tag that was
+// obtained at the start of an interaction with the user.
 //
 // Note that Tag that is returned by Match and MatchString may differ from any
 // of the supported languages, as it may contain carried over settings from
@ -70,8 +68,7 @@
 // Match and MatchString both return the index of the matched supported tag
 // to simplify associating such data with the matched tag.
 //
-//
-// Canonicalization
+// # Canonicalization
 //
 // If one uses the Matcher to compare languages one does not need to
 // worry about canonicalization.
@ -92,10 +89,9 @@
 // equivalence relations. The CanonType type can be used to alter the
 // canonicalization form.
 //
-// References
+// # References
 //
 // BCP 47 - Tags for Identifying Languages http://tools.ietf.org/html/bcp47
-//
 package language // import "golang.org/x/text/language"

 // TODO: explanation on how to match languages for your own locale-specific
--- a/vendor/golang.org/x/text/language/match.go
+++ b/vendor/golang.org/x/text/language/match.go
@ -545,7 +545,7 @@ type bestMatch struct {
 // match as the preferred match.
 //
 // If pin is true and have and tag are a strong match, it will henceforth only
-// consider matches for this language. This corresponds to the nothing that most
+// consider matches for this language. This corresponds to the idea that most
 // users have a strong preference for the first defined language. A user can
 // still prefer a second language over a dialect of the preferred language by
 // explicitly specifying dialects, e.g. "en, nl, en-GB". In this case pin should
--- a/vendor/golang.org/x/text/language/parse.go
+++ b/vendor/golang.org/x/text/language/parse.go
@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
 }

 var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
+var errTagListTooLarge = errors.New("tag list exceeds max length")

 // ParseAcceptLanguage parses the contents of an Accept-Language header as
 // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
 		}
 	}()

+	if strings.Count(s, "-") > 1000 {
+		return nil, nil, errTagListTooLarge
+	}
+
 	var entry string
 	for s != "" {
 		if entry, s = split(s, ','); entry == "" {
--- a/vendor/golang.org/x/text/language/tables.go
+++ b/vendor/golang.org/x/text/language/tables.go
@ -39,12 +39,12 @@ const (
 	_Hani = 57
 	_Hans = 59
 	_Hant = 60
-	_Qaaa = 143
-	_Qaai = 151
-	_Qabx = 192
-	_Zinh = 245
-	_Zyyy = 250
-	_Zzzz = 251
+	_Qaaa = 147
+	_Qaai = 155
+	_Qabx = 196
+	_Zinh = 252
+	_Zyyy = 257
+	_Zzzz = 258
 )

 var regionToGroups = []uint8{ // 358 elements
@ -265,9 +265,9 @@ var matchScript = []scriptIntelligibility{ // 26 elements
 	13: {wantLang: 0x39d, haveLang: 0x139, wantScript: 0x36, haveScript: 0x5a, distance: 0xa},
 	14: {wantLang: 0x3be, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5a, distance: 0xa},
 	15: {wantLang: 0x3fa, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5a, distance: 0xa},
-	16: {wantLang: 0x40c, haveLang: 0x139, wantScript: 0xcf, haveScript: 0x5a, distance: 0xa},
-	17: {wantLang: 0x450, haveLang: 0x139, wantScript: 0xde, haveScript: 0x5a, distance: 0xa},
-	18: {wantLang: 0x461, haveLang: 0x139, wantScript: 0xe1, haveScript: 0x5a, distance: 0xa},
+	16: {wantLang: 0x40c, haveLang: 0x139, wantScript: 0xd4, haveScript: 0x5a, distance: 0xa},
+	17: {wantLang: 0x450, haveLang: 0x139, wantScript: 0xe3, haveScript: 0x5a, distance: 0xa},
+	18: {wantLang: 0x461, haveLang: 0x139, wantScript: 0xe6, haveScript: 0x5a, distance: 0xa},
 	19: {wantLang: 0x46f, haveLang: 0x139, wantScript: 0x2c, haveScript: 0x5a, distance: 0xa},
 	20: {wantLang: 0x476, haveLang: 0x3e2, wantScript: 0x5a, haveScript: 0x20, distance: 0xa},
 	21: {wantLang: 0x4b4, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5a, distance: 0xa},