Impact
The strings.TrimLeft function is used at multiple points in the Dragonfly codebase to remove a prefix from a string. This function has unexpected behavior; its second argument is an unordered set of characters to remove, rather than a prefix to remove. The strings.TrimPrefix function should be used instead.
urlMeta.Range = strings.TrimLeft(r, http.RangePrefix)
The finding is informational because we were unable to determine an exploitable attack
scenario based on the vulnerability.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at [email protected].
Impact
The strings.TrimLeft function is used at multiple points in the Dragonfly codebase to remove a prefix from a string. This function has unexpected behavior; its second argument is an unordered set of characters to remove, rather than a prefix to remove. The strings.TrimPrefix function should be used instead.
The finding is informational because we were unable to determine an exploitable attack
scenario based on the vulnerability.
Patches
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at [email protected].