A DoS bug that’s worse than it seems
At Mattermost, we’re heavy users of the Go programming language and its extensive standard library, which is why we also care deeply about the security of the Go ecosystem.
In recent weeks, we’ve taken some time to thoroughly analyze the contents of some of the security advisories published earlier this year by the Go team.
This blog post focuses on one such advisory in particular, CVE-2024-24791, and its practical security impact. Mattermost products are not affected by any part of the issue described here, and no action is required from customers.
The advisory describes a bug related to the Expect HTTP request header and the 100 Continue response status, or lack thereof. But what is this protocol feature? When would you use it? And how does a bug in it impact your average application?
Consider a server that allows you to upload images to it using HTTP. At the protocol level, the uploading would probably happen using an exchange such as the following:
