fleet

mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00

History

jacobshandling 0eb8d432bf Safely split incoming request headers, remove support for token presence in request body (#39427 ) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issues: - Prevents unbounded split length exploits similar to https://nvd.nist.gov/vuln/detail/CVE-2025-30204 - Also removes parsing of request body for token, see https://github.com/fleetdm/fleet/issues/39659 - @iansltx I figured since this PR updates the code blocks in question, makes sense to [remove the body parsing here](https://github.com/fleetdm/fleet/pull/39427/changes#diff-83b0d73af21e81cf2c5ed4448718d0760543699fe6e36e401372467befea29edL30-L33), and clean up the [related dead code](`c1e3e89b5f/frontend/services/entities/installers.ts (L13)`) in a follow-up See https://fleetdm.slack.com/archives/C019WG4GH0A/p1770322925865209 - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually	2026-02-18 08:50:04 -08:00
..
token.go	Safely split incoming request headers, remove support for token presence in request body (#39427 )	2026-02-18 08:50:04 -08:00
token_test.go	Safely split incoming request headers, remove support for token presence in request body (#39427 )	2026-02-18 08:50:04 -08:00

Safely split incoming request headers, remove support for token presence in request body (#39427 )

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issues:**
- Prevents unbounded split length exploits similar to
https://nvd.nist.gov/vuln/detail/CVE-2025-30204
- Also removes parsing of request body for token, see
https://github.com/fleetdm/fleet/issues/39659
- @iansltx I figured since this PR updates the code blocks in question,
makes sense to [remove the body parsing
here](https://github.com/fleetdm/fleet/pull/39427/changes#diff-83b0d73af21e81cf2c5ed4448718d0760543699fe6e36e401372467befea29edL30-L33),
and clean up the [related dead
code](c1e3e89b5f/frontend/services/entities/installers.ts (L13))
in a follow-up

See https://fleetdm.slack.com/archives/C019WG4GH0A/p1770322925865209

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

2026-02-18 08:50:04 -08:00

token.go Safely split incoming request headers, remove support for token presence in request body (#39427 ) 2026-02-18 08:50:04 -08:00

token_test.go Safely split incoming request headers, remove support for token presence in request body (#39427 ) 2026-02-18 08:50:04 -08:00