From 2dcaaa751295597e1f603b7488c4624db6a84d2b Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Mon, 3 Nov 2025 14:28:47 -0800 Subject: net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters net/url does not currently limit the number of query parameters parsed by url.ParseQuery or URL.Query. When parsing a application/x-www-form-urlencoded form, net/http.Request.ParseForm will parse up to 10 MB of query parameters. An input consisting of a large number of small, unique parameters can cause excessive memory consumption. We now limit the number of query parameters parsed to 10000 by default. The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=. Setting urlmaxqueryparams to 0 disables the limit. Thanks to jub0bs for reporting this issue. Fixes #77101 Fixes CVE-2025-61726 Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020 Reviewed-by: Nicholas Husin Reviewed-by: Neal Patel Reviewed-on: https://go-review.googlesource.com/c/go/+/736712 Auto-Submit: Michael Pratt Reviewed-by: Junyang Shao LUCI-TryBot-Result: Go LUCI --- doc/godebug.md | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc/godebug.md') diff --git a/doc/godebug.md b/doc/godebug.md index 28a2dc506e..184e161c40 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -163,6 +163,13 @@ will fail early. The default value is `httpcookiemaxnum=3000`. Setting number of cookies. To avoid denial of service attacks, this setting and default was backported to Go 1.25.2 and Go 1.24.8. +Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number +of query parameters that net/url will accept when parsing a URL-encoded query string. +If the number of parameters exceeds the number set in `urlmaxqueryparams`, +parsing will fail early. The default value is `urlmaxqueryparams=10000`. +Setting `urlmaxqueryparams=0`bles the limit. To avoid denial of service attacks, +this setting and default was backported to Go 1.25.4 and Go 1.24.10. + Go 1.26 added a new `urlstrictcolons` setting that controls whether `net/url.Parse` allows malformed hostnames containing colons outside of a bracketed IPv6 address. The default `urlstrictcolons=1` rejects URLs such as `http://localhost:1:2` or `http://::1/`. -- cgit v1.3 From 7251c9e0f00a6d7d37bb441f3e823c160131e9b5 Mon Sep 17 00:00:00 2001 From: Michael Pratt Date: Fri, 16 Jan 2026 12:20:39 -0500 Subject: doc: fix urlmaxqueryparams typos Updates #77101. Change-Id: I6a6a636cd58e1bd01943066368cb1424db6c6a92 Reviewed-on: https://go-review.googlesource.com/c/go/+/737040 Reviewed-by: Damien Neil Auto-Submit: Michael Pratt LUCI-TryBot-Result: Go LUCI --- doc/godebug.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/godebug.md') diff --git a/doc/godebug.md b/doc/godebug.md index 184e161c40..90ed63a01a 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -167,8 +167,8 @@ Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number of query parameters that net/url will accept when parsing a URL-encoded query string. If the number of parameters exceeds the number set in `urlmaxqueryparams`, parsing will fail early. The default value is `urlmaxqueryparams=10000`. -Setting `urlmaxqueryparams=0`bles the limit. To avoid denial of service attacks, -this setting and default was backported to Go 1.25.4 and Go 1.24.10. +Setting `urlmaxqueryparams=0` disables the limit. To avoid denial of service +attacks, this setting and default was backported to Go 1.25.6 and Go 1.24.12. Go 1.26 added a new `urlstrictcolons` setting that controls whether `net/url.Parse` allows malformed hostnames containing colons outside of a bracketed IPv6 address. -- cgit v1.3