x/net/html: non-linear parsing of case-insensitive content

[rolandshoemaker]

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

Thanks to Guido Vranken for reporting this issue.

This is CVE-2024-45338.

[gabyhelp]

Related Issues

• security: fix CVE-2024-45336 #70530
• security: fix CVE-2024-34157 #69140 (closed)
• security: fix CVE-2023-39324 #63212 (closed)
• security: fix CVE-2023-45288 #66297 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/637536 mentions this issue: html: use strings.EqualFold instead of lowering ourselves