mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
go/src/net/http
History
Damien Neil ac1f5aa3d6 [release-branch.go1.24] net/http: reject newlines in chunk-size lines 
Unlike request headers, where we are allowed to leniently accept
a bare LF in place of a CRLF, chunked bodies must always use CRLF
line terminators. We were already enforcing this for chunk-data lines;
do so for chunk-size lines as well. Also reject bare CRs anywhere
other than as part of the CRLF terminator.

Fixes CVE-2025-22871
Fixes #72011
For #71988

Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
Reviewed-by: Jonathan Amsterdam <jba@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit d31c805535)
Reviewed-on: https://go-review.googlesource.com/c/go/+/657056
 		2025-03-18 12:40:27 -07:00
..
cgi all: use slices.Sorted(maps.Keys(m)) 2024-10-02 14:22:59 +00:00
cookiejar cmd,log,net,runtime: simplify string prefix and suffix processing 2024-07-29 21:29:17 +00:00
fcgi
httptest net/http/httptest: add comment to Server.Client() about Server.URL 2024-05-10 17:26:10 +00:00
httptrace
httputil net/http/httputil: return after handling error 2024-11-18 16:43:40 +00:00
internal [release-branch.go1.24] net/http: reject newlines in chunk-size lines 2025-03-18 12:40:27 -07:00
pprof net/http/pprof: replace sort.Slice with slices.SortFunc 2024-10-25 21:42:41 +00:00
testdata
alpn_test.go
async_test.go net/http: run TestServerShutdownStateNew in a synctest bubble 2024-11-25 22:02:07 +00:00
client.go net/http: persist header stripping across repeated redirects 2025-01-16 10:58:54 -08:00
client_test.go net/http: persist header stripping across repeated redirects 2025-01-16 10:58:54 -08:00
clientserver_test.go net/http: test for racing idle conn closure and new requests 2024-11-26 18:05:09 +00:00
clone.go all: document legacy //go:linkname for modules with ≥200 dependents 2024-05-23 01:17:26 +00:00
cookie.go net/http: add partitioned attribute to cookie type 2024-05-22 18:33:05 +00:00
cookie_test.go net/http: add partitioned attribute to cookie type 2024-05-22 18:33:05 +00:00
doc.go
example_filesystem_test.go net/http: match os.File.Readdir behavior in DotFileHiding 2024-07-30 23:08:52 +00:00
example_handle_test.go
example_test.go net/http: add Protocols field to Server and Transport 2024-11-05 22:14:59 +00:00
export_test.go net/http: don't cancel Dials when requests are canceled 2024-04-17 21:11:57 +00:00
filetransport.go net/http: document io.Seeker requirement for fs.FS arguments 2024-07-15 16:32:33 +00:00
filetransport_test.go
fs.go net/http: document io.Seeker requirement for fs.FS arguments 2024-07-15 16:32:33 +00:00
fs_test.go net: use slices and maps to clean up tests 2024-07-25 00:20:13 +00:00
h2_bundle.go net/http: update bundled golang.org/x/net/http2 [generated] 2025-01-21 13:03:18 -08:00
h2_error.go
h2_error_test.go
header.go net/http: use slices to simplify the code 2024-03-21 22:14:00 +00:00
header_test.go
http.go net/http: document zero value of Protocols 2024-12-11 12:15:29 -08:00
http_test.go net/http: add Protocols field to Server and Transport 2024-11-05 22:14:59 +00:00
jar.go
main_test.go net/http: speed up go test 2024-04-03 22:49:46 +00:00
mapping.go
mapping_test.go
method.go
netconn_test.go net/http: test for racing idle conn closure and new requests 2024-11-26 18:05:09 +00:00
omithttp2.go
pattern.go net/http: allow multiple spaces between method and path in mux patterns 2024-02-26 16:36:30 +00:00
pattern_test.go net/http: allow multiple spaces between method and path in mux patterns 2024-02-26 16:36:30 +00:00
proxy_test.go
range_test.go
readrequest_test.go net/http: reject requests with invalid Content-Length headers 2024-02-14 22:23:32 +00:00
request.go net/http: update NewRequestWithContext wrong link to NewRequest 2025-01-06 11:01:12 -08:00
request_test.go net: use slices and maps to clean up tests 2024-07-25 00:20:13 +00:00
requestwrite_test.go
response.go
response_test.go net/http: don't write body for HEAD responses in Response.Write 2024-07-29 21:26:22 +00:00
responsecontroller.go
responsecontroller_test.go net/http: add ResponseController http2 request without body read deadline test 2024-03-06 19:20:31 +00:00
responsewrite_test.go
roundtrip.go all: document legacy //go:linkname for final round of modules 2024-05-29 17:58:53 +00:00
roundtrip_js.go
routing_index.go
routing_index_test.go net/http: use slices to simplify the code 2024-03-21 22:14:00 +00:00
routing_tree.go net/http: represent multi wildcards properly 2024-04-30 15:43:24 +00:00
routing_tree_test.go net/http: avoid appending an existing trailing slash to path again 2024-06-28 17:01:13 +00:00
serve_test.go [release-branch.go1.24] net/http: reject newlines in chunk-size lines 2025-03-18 12:40:27 -07:00
servemux121.go net/http: add comments that servemux121.go should remain frozen 2024-04-18 15:40:38 +00:00
server.go [release-branch.go1.24] net/http: don't modify caller's tls.Config.NextProtos 2025-03-17 14:37:18 -07:00
server_test.go net/http: refine trailing-slash redirect logic 2024-02-13 13:54:22 +00:00
sniff.go
sniff_test.go net: use slices and maps to clean up tests 2024-07-25 00:20:13 +00:00
socks_bundle.go
status.go
transfer.go net/http: make use of maps.Copy 2024-09-13 17:00:55 +00:00
transfer_test.go
transport.go net/http: avoid redundant installation of HTTP/2 support in transport 2024-11-25 18:39:27 +00:00
transport_default_other.go
transport_default_wasm.go
transport_dial_test.go net/http: don't cancel Dials when requests are canceled 2024-04-17 21:11:57 +00:00
transport_internal_test.go net/http: simplify HTTP/1 request cancelation 2024-05-16 15:57:17 +00:00
transport_test.go net/http: fix nil panic in test 2024-12-19 10:59:58 -08:00
triv.go