Compare commits
108 Commits
master
...
golang-1.5
Author | SHA1 | Date |
---|---|---|
Vincent Batts | 682f928b4c | |
Vincent Batts | 0d7b61e3f5 | |
Vincent Batts | 821a201d20 | |
Vincent Batts | ab2af38a0f | |
Vincent Batts | 93edd60791 | |
Vincent Batts | aa501a2cd8 | |
Vincent Batts | 6eee324d17 | |
Vincent Batts | 8350bb0fe4 | |
Vincent Batts | 2986c3304e | |
Vincent Batts | 9de436f47e | |
Vincent Batts | 8b9f2ff413 | |
Vincent Batts | 9d7e13198d | |
Vincent Batts | 6cc32fc12f | |
Vincent Batts | 3c45dc2a3a | |
Vincent Batts | 47ce6d73cf | |
Vincent Batts | 84033d417e | |
Vincent Batts | 33152ba710 | |
Vincent Batts | 31e8a62d23 | |
Vincent Batts | 3b49f3293c | |
Vincent Batts | 110e264e04 | |
Vincent Batts | 9380b0eceb | |
Vincent Batts | abfb918aeb | |
Vincent Batts | d216431587 | |
Vincent Batts | 1c5a967947 | |
Vincent Batts | ea1d7adb97 | |
Vincent Batts | 39bf515e07 | |
Vincent Batts | 230c272aac | |
Vincent Batts | ab7a3d0b63 | |
Vincent Batts | 60a575aca1 | |
Vincent Batts | 6ceac592dd | |
Vincent Batts | 90e73267ad | |
Vincent Batts | d65d3f8a40 | |
Vincent Batts | 60bb592493 | |
Vincent Batts | 688fe6aa08 | |
Vincent Batts | 27d627a74b | |
Vincent Batts | c89cd17117 | |
Vincent Batts | 6da1cd966e | |
Vincent Batts | 97dd9b460e | |
Vincent Batts | c6c5ac57e3 | |
Vincent Batts | 9abed9ed84 | |
Vincent Batts | 8712265c7e | |
Vincent Batts | 73415829c2 | |
Vincent Batts | e3554eaea8 | |
Vincent Batts | 420732b09d | |
Vincent Batts | 7c6268c5d6 | |
Vincent Batts | 96d7496e05 | |
Vincent Batts | d1b8e89d5a | |
Vincent Batts | 412a4623e4 | |
Vincent Batts | 3ab77e50be | |
Vincent Batts | 204c3459b6 | |
Vincent Batts | fa35b27c26 | |
Vincent Batts | f6645a7f86 | |
Vincent Batts | df3e55e110 | |
Vincent Batts | a5ed0429aa | |
Vincent Batts | eb35b4275b | |
Vincent Batts | 847040875c | |
Vincent Batts | b155214884 | |
Vincent Batts | 668c87d6d8 | |
Vincent Batts | a518e20201 | |
Vincent Batts | 1a89979632 | |
Vincent Batts | cf91978557 | |
Vincent Batts | 15411c9d44 | |
Vincent Batts | 4ea74e374a | |
Vincent Batts | 81323f3ca5 | |
Vincent Batts | 3dab810ad8 | |
Vincent Batts | 178b1469c1 | |
Vincent Batts | 70cefcfce2 | |
Vincent Batts | a0dbb55483 | |
Vincent Batts | 9b901fa781 | |
Adam Miller | 8b15f6569a | |
Adam Miller | 46df8a9ba5 | |
Adam Miller | 3342a8bbe5 | |
Adam Miller | 3fb2038602 | |
Adam Miller | 2e5eb6e3d1 | |
Adam Miller | 8a8b586b8d | |
Adam Miller | 9e4e25cf53 | |
Adam Miller | 957169509d | |
Adam Miller | 5253fbfde8 | |
Adam Miller | 52bd3bfa8d | |
Adam Miller | ba9665b0fe | |
Adam Miller | ea4af86ffb | |
Vincent Batts | 4604bf724d | |
Vincent Batts | 583f94dcc1 | |
Vincent Batts | 8197a39098 | |
Vincent Batts | ea5e86ce3d | |
Vincent Batts | 64f997fc97 | |
Vincent Batts | a70daa81a8 | |
Vincent Batts | 2f21c1b8e2 | |
Vincent Batts | 0aff087ed3 | |
Vincent Batts | 5a0728e5a2 | |
Vincent Batts | d4e31c03ca | |
Vincent Batts | 3d2e2d5e92 | |
Vincent Batts | 766dafab1b | |
Vincent Batts | 80f4cc9e22 | |
Vincent Batts | 6dfa9a88bc | |
Vincent Batts | adb88d9b5d | |
Vincent Batts | 866e8dcc93 | |
Vincent Batts | 8856b2e166 | |
Adam Miller | f12359b27e | |
Adam Miller | e6ff51995e | |
Adam Miller | a601655be1 | |
Adam Miller | e3f1c1568c | |
Adam Miller | 666ac20aad | |
Adam Miller | 76d86a9d1a | |
Adam Miller | 993b94291e | |
Adam Miller | 75bcad53e9 | |
Adam Miller | 79fe1edc90 | |
Adam Miller | e275250300 |
|
@ -23,3 +23,4 @@
|
|||
/go1.5beta3.src.tar.gz
|
||||
/go1.5rc1.src.tar.gz
|
||||
/go1.5.src.tar.gz
|
||||
/go1.5.1.src.tar.gz
|
||||
|
|
|
@ -0,0 +1,135 @@
|
|||
commit 117ddcb83d7f42d6aa72241240af99ded81118e9
|
||||
Author: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
Date: Tue Jun 30 09:22:41 2015 -0700
|
||||
|
||||
net/textproto: don't treat spaces as hyphens in header keys
|
||||
|
||||
This was originally done in https://codereview.appspot.com/5690059
|
||||
(Feb 2012) to deal with bad response headers coming back from webcams,
|
||||
but it presents a potential security problem with HTTP request
|
||||
smuggling for request headers containing "Content Length" instead of
|
||||
"Content-Length".
|
||||
|
||||
Part of overall HTTP hardening for request smuggling. See RFC 7230.
|
||||
|
||||
Thanks to Régis Leroy for the report.
|
||||
|
||||
Change-Id: I92b17fb637c9171c5774ea1437979ae2c17ca88a
|
||||
Reviewed-on: https://go-review.googlesource.com/11772
|
||||
Reviewed-by: Russ Cox <rsc@golang.org>
|
||||
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
||||
|
||||
diff --git a/src/net/http/header.go b/src/net/http/header.go
|
||||
index 153b943..d847b13 100644
|
||||
--- a/src/net/http/header.go
|
||||
+++ b/src/net/http/header.go
|
||||
@@ -168,6 +168,8 @@ func (h Header) WriteSubset(w io.Writer, exclude map[string]bool) error {
|
||||
// letter and any letter following a hyphen to upper case;
|
||||
// the rest are converted to lowercase. For example, the
|
||||
// canonical key for "accept-encoding" is "Accept-Encoding".
|
||||
+// If s contains a space or invalid header field bytes, it is
|
||||
+// returned without modifications.
|
||||
func CanonicalHeaderKey(s string) string { return textproto.CanonicalMIMEHeaderKey(s) }
|
||||
|
||||
// hasToken reports whether token appears with v, ASCII
|
||||
diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
|
||||
index e4b8f6b..91303fe 100644
|
||||
--- a/src/net/textproto/reader.go
|
||||
+++ b/src/net/textproto/reader.go
|
||||
@@ -547,11 +547,16 @@ func (r *Reader) upcomingHeaderNewlines() (n int) {
|
||||
// the rest are converted to lowercase. For example, the
|
||||
// canonical key for "accept-encoding" is "Accept-Encoding".
|
||||
// MIME header keys are assumed to be ASCII only.
|
||||
+// If s contains a space or invalid header field bytes, it is
|
||||
+// returned without modifications.
|
||||
func CanonicalMIMEHeaderKey(s string) string {
|
||||
// Quick check for canonical encoding.
|
||||
upper := true
|
||||
for i := 0; i < len(s); i++ {
|
||||
c := s[i]
|
||||
+ if !validHeaderFieldByte(c) {
|
||||
+ return s
|
||||
+ }
|
||||
if upper && 'a' <= c && c <= 'z' {
|
||||
return canonicalMIMEHeaderKey([]byte(s))
|
||||
}
|
||||
@@ -565,19 +570,44 @@ func CanonicalMIMEHeaderKey(s string) string {
|
||||
|
||||
const toLower = 'a' - 'A'
|
||||
|
||||
+// validHeaderFieldByte reports whether b is a valid byte in a header
|
||||
+// field key. This is actually stricter than RFC 7230, which says:
|
||||
+// tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
|
||||
+// "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
|
||||
+// token = 1*tchar
|
||||
+// TODO: revisit in Go 1.6+ and possibly expand this. But note that many
|
||||
+// servers have historically dropped '_' to prevent ambiguities when mapping
|
||||
+// to CGI environment variables.
|
||||
+func validHeaderFieldByte(b byte) bool {
|
||||
+ return ('A' <= b && b <= 'Z') ||
|
||||
+ ('a' <= b && b <= 'z') ||
|
||||
+ ('0' <= b && b <= '9') ||
|
||||
+ b == '-'
|
||||
+}
|
||||
+
|
||||
// canonicalMIMEHeaderKey is like CanonicalMIMEHeaderKey but is
|
||||
// allowed to mutate the provided byte slice before returning the
|
||||
// string.
|
||||
+//
|
||||
+// For invalid inputs (if a contains spaces or non-token bytes), a
|
||||
+// is unchanged and a string copy is returned.
|
||||
func canonicalMIMEHeaderKey(a []byte) string {
|
||||
+ // See if a looks like a header key. If not, return it unchanged.
|
||||
+ for _, c := range a {
|
||||
+ if validHeaderFieldByte(c) {
|
||||
+ continue
|
||||
+ }
|
||||
+ // Don't canonicalize.
|
||||
+ return string(a)
|
||||
+ }
|
||||
+
|
||||
upper := true
|
||||
for i, c := range a {
|
||||
// Canonicalize: first letter upper case
|
||||
// and upper case after each dash.
|
||||
// (Host, User-Agent, If-Modified-Since).
|
||||
// MIME headers are ASCII only, so no Unicode issues.
|
||||
- if c == ' ' {
|
||||
- c = '-'
|
||||
- } else if upper && 'a' <= c && c <= 'z' {
|
||||
+ if upper && 'a' <= c && c <= 'z' {
|
||||
c -= toLower
|
||||
} else if !upper && 'A' <= c && c <= 'Z' {
|
||||
c += toLower
|
||||
diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
|
||||
index 6bbd993..8fce7dd 100644
|
||||
--- a/src/net/textproto/reader_test.go
|
||||
+++ b/src/net/textproto/reader_test.go
|
||||
@@ -24,11 +24,14 @@ var canonicalHeaderKeyTests = []canonicalHeaderKeyTest{
|
||||
{"uSER-aGENT", "User-Agent"},
|
||||
{"user-agent", "User-Agent"},
|
||||
{"USER-AGENT", "User-Agent"},
|
||||
- {"üser-agenT", "üser-Agent"}, // non-ASCII unchanged
|
||||
+
|
||||
+ // Non-ASCII or anything with spaces or non-token chars is unchanged:
|
||||
+ {"üser-agenT", "üser-agenT"},
|
||||
+ {"a B", "a B"},
|
||||
|
||||
// This caused a panic due to mishandling of a space:
|
||||
- {"C Ontent-Transfer-Encoding", "C-Ontent-Transfer-Encoding"},
|
||||
- {"foo bar", "Foo-Bar"},
|
||||
+ {"C Ontent-Transfer-Encoding", "C Ontent-Transfer-Encoding"},
|
||||
+ {"foo bar", "foo bar"},
|
||||
}
|
||||
|
||||
func TestCanonicalMIMEHeaderKey(t *testing.T) {
|
||||
@@ -194,7 +197,7 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
|
||||
"Foo": {"bar"},
|
||||
"Content-Language": {"en"},
|
||||
"Sid": {"0"},
|
||||
- "Audio-Mode": {"None"},
|
||||
+ "Audio Mode": {"None"},
|
||||
"Privilege": {"127"},
|
||||
}
|
||||
if !reflect.DeepEqual(m, want) || err != nil {
|
|
@ -0,0 +1,112 @@
|
|||
commit 143822585e32449860e624cace9d2e521deee62e
|
||||
Author: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
Date: Tue Jul 7 13:19:44 2015 -0600
|
||||
|
||||
net/http: revert overly-strict part of earlier smuggling defense
|
||||
|
||||
The recent https://golang.org/cl/11810 is reportedly a bit too
|
||||
aggressive.
|
||||
|
||||
Apparently some HTTP requests in the wild do contain both a
|
||||
Transfer-Encoding along with a bogus Content-Length. Instead of
|
||||
returning a 400 Bad Request error, we should just ignore the
|
||||
Content-Length like we did before.
|
||||
|
||||
Change-Id: I0001be90d09f8293a34f04691f608342875ff5c4
|
||||
Reviewed-on: https://go-review.googlesource.com/11962
|
||||
Reviewed-by: Andrew Gerrand <adg@golang.org>
|
||||
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
||||
|
||||
diff --git a/src/net/http/readrequest_test.go b/src/net/http/readrequest_test.go
|
||||
index 1a3cf91..60e2be4 100644
|
||||
--- a/src/net/http/readrequest_test.go
|
||||
+++ b/src/net/http/readrequest_test.go
|
||||
@@ -178,6 +178,36 @@ var reqTests = []reqTest{
|
||||
noError,
|
||||
},
|
||||
|
||||
+ // Tests chunked body and a bogus Content-Length which should be deleted.
|
||||
+ {
|
||||
+ "POST / HTTP/1.1\r\n" +
|
||||
+ "Host: foo.com\r\n" +
|
||||
+ "Transfer-Encoding: chunked\r\n" +
|
||||
+ "Content-Length: 9999\r\n\r\n" + // to be removed.
|
||||
+ "3\r\nfoo\r\n" +
|
||||
+ "3\r\nbar\r\n" +
|
||||
+ "0\r\n" +
|
||||
+ "\r\n",
|
||||
+ &Request{
|
||||
+ Method: "POST",
|
||||
+ URL: &url.URL{
|
||||
+ Path: "/",
|
||||
+ },
|
||||
+ TransferEncoding: []string{"chunked"},
|
||||
+ Proto: "HTTP/1.1",
|
||||
+ ProtoMajor: 1,
|
||||
+ ProtoMinor: 1,
|
||||
+ Header: Header{},
|
||||
+ ContentLength: -1,
|
||||
+ Host: "foo.com",
|
||||
+ RequestURI: "/",
|
||||
+ },
|
||||
+
|
||||
+ "foobar",
|
||||
+ noTrailer,
|
||||
+ noError,
|
||||
+ },
|
||||
+
|
||||
// CONNECT request with domain name:
|
||||
{
|
||||
"CONNECT www.google.com:443 HTTP/1.1\r\n\r\n",
|
||||
@@ -400,11 +430,6 @@ Content-Length: 3
|
||||
Content-Length: 4
|
||||
|
||||
abc`)},
|
||||
- {"smuggle_chunked_and_len", reqBytes(`POST / HTTP/1.1
|
||||
-Transfer-Encoding: chunked
|
||||
-Content-Length: 3
|
||||
-
|
||||
-abc`)},
|
||||
{"smuggle_content_len_head", reqBytes(`HEAD / HTTP/1.1
|
||||
Host: foo
|
||||
Content-Length: 5`)},
|
||||
diff --git a/src/net/http/transfer.go b/src/net/http/transfer.go
|
||||
index 3c868bd..fbbbf24 100644
|
||||
--- a/src/net/http/transfer.go
|
||||
+++ b/src/net/http/transfer.go
|
||||
@@ -430,7 +430,6 @@ func fixTransferEncoding(isResponse bool, requestMethod string, header Header) (
|
||||
if !present {
|
||||
return nil, nil
|
||||
}
|
||||
- isRequest := !isResponse
|
||||
delete(header, "Transfer-Encoding")
|
||||
|
||||
encodings := strings.Split(raw[0], ",")
|
||||
@@ -458,12 +457,20 @@ func fixTransferEncoding(isResponse bool, requestMethod string, header Header) (
|
||||
// RFC 7230 3.3.2 says "A sender MUST NOT send a
|
||||
// Content-Length header field in any message that
|
||||
// contains a Transfer-Encoding header field."
|
||||
- if len(header["Content-Length"]) > 0 {
|
||||
- if isRequest {
|
||||
- return nil, errors.New("http: invalid Content-Length with Transfer-Encoding")
|
||||
- }
|
||||
- delete(header, "Content-Length")
|
||||
- }
|
||||
+ //
|
||||
+ // but also:
|
||||
+ // "If a message is received with both a
|
||||
+ // Transfer-Encoding and a Content-Length header
|
||||
+ // field, the Transfer-Encoding overrides the
|
||||
+ // Content-Length. Such a message might indicate an
|
||||
+ // attempt to perform request smuggling (Section 9.5)
|
||||
+ // or response splitting (Section 9.4) and ought to be
|
||||
+ // handled as an error. A sender MUST remove the
|
||||
+ // received Content-Length field prior to forwarding
|
||||
+ // such a message downstream."
|
||||
+ //
|
||||
+ // Reportedly, these appear in the wild.
|
||||
+ delete(header, "Content-Length")
|
||||
return te, nil
|
||||
}
|
||||
|
|
@ -0,0 +1,225 @@
|
|||
commit 300d9a21583e7cf0149a778a0611e76ff7c6680f
|
||||
Author: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
Date: Tue Jun 30 14:21:15 2015 -0700
|
||||
|
||||
net/http: harden Server against request smuggling
|
||||
|
||||
See RFC 7230.
|
||||
|
||||
Thanks to Régis Leroy for the report.
|
||||
|
||||
Change-Id: Ic1779bc2180900430d4d7a4938cac04ed73c304c
|
||||
Reviewed-on: https://go-review.googlesource.com/11810
|
||||
Reviewed-by: Russ Cox <rsc@golang.org>
|
||||
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
|
||||
diff --git a/src/net/http/readrequest_test.go b/src/net/http/readrequest_test.go
|
||||
index e930d99..1a3cf91 100644
|
||||
--- a/src/net/http/readrequest_test.go
|
||||
+++ b/src/net/http/readrequest_test.go
|
||||
@@ -9,6 +9,7 @@ import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
+ "io/ioutil"
|
||||
"net/url"
|
||||
"reflect"
|
||||
"strings"
|
||||
@@ -323,6 +324,32 @@ var reqTests = []reqTest{
|
||||
noTrailer,
|
||||
noError,
|
||||
},
|
||||
+
|
||||
+ // HEAD with Content-Length 0. Make sure this is permitted,
|
||||
+ // since I think we used to send it.
|
||||
+ {
|
||||
+ "HEAD / HTTP/1.1\r\nHost: issue8261.com\r\nConnection: close\r\nContent-Length: 0\r\n\r\n",
|
||||
+ &Request{
|
||||
+ Method: "HEAD",
|
||||
+ URL: &url.URL{
|
||||
+ Path: "/",
|
||||
+ },
|
||||
+ Header: Header{
|
||||
+ "Connection": []string{"close"},
|
||||
+ "Content-Length": []string{"0"},
|
||||
+ },
|
||||
+ Host: "issue8261.com",
|
||||
+ Proto: "HTTP/1.1",
|
||||
+ ProtoMajor: 1,
|
||||
+ ProtoMinor: 1,
|
||||
+ Close: true,
|
||||
+ RequestURI: "/",
|
||||
+ },
|
||||
+
|
||||
+ noBody,
|
||||
+ noTrailer,
|
||||
+ noError,
|
||||
+ },
|
||||
}
|
||||
|
||||
func TestReadRequest(t *testing.T) {
|
||||
@@ -356,3 +383,39 @@ func TestReadRequest(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
+
|
||||
+// reqBytes treats req as a request (with \n delimiters) and returns it with \r\n delimiters,
|
||||
+// ending in \r\n\r\n
|
||||
+func reqBytes(req string) []byte {
|
||||
+ return []byte(strings.Replace(strings.TrimSpace(req), "\n", "\r\n", -1) + "\r\n\r\n")
|
||||
+}
|
||||
+
|
||||
+var badRequestTests = []struct {
|
||||
+ name string
|
||||
+ req []byte
|
||||
+}{
|
||||
+ {"bad_connect_host", reqBytes("CONNECT []%20%48%54%54%50%2f%31%2e%31%0a%4d%79%48%65%61%64%65%72%3a%20%31%32%33%0a%0a HTTP/1.0")},
|
||||
+ {"smuggle_two_contentlen", reqBytes(`POST / HTTP/1.1
|
||||
+Content-Length: 3
|
||||
+Content-Length: 4
|
||||
+
|
||||
+abc`)},
|
||||
+ {"smuggle_chunked_and_len", reqBytes(`POST / HTTP/1.1
|
||||
+Transfer-Encoding: chunked
|
||||
+Content-Length: 3
|
||||
+
|
||||
+abc`)},
|
||||
+ {"smuggle_content_len_head", reqBytes(`HEAD / HTTP/1.1
|
||||
+Host: foo
|
||||
+Content-Length: 5`)},
|
||||
+}
|
||||
+
|
||||
+func TestReadRequest_Bad(t *testing.T) {
|
||||
+ for _, tt := range badRequestTests {
|
||||
+ got, err := ReadRequest(bufio.NewReader(bytes.NewReader(tt.req)))
|
||||
+ if err == nil {
|
||||
+ all, err := ioutil.ReadAll(got.Body)
|
||||
+ t.Errorf("%s: got unexpected request = %#v\n Body = %q, %v", tt.name, got, all, err)
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git a/src/net/http/transfer.go b/src/net/http/transfer.go
|
||||
index 5205003..3887604 100644
|
||||
--- a/src/net/http/transfer.go
|
||||
+++ b/src/net/http/transfer.go
|
||||
@@ -143,6 +143,9 @@ func (t *transferWriter) shouldSendContentLength() bool {
|
||||
return true
|
||||
}
|
||||
if t.ContentLength == 0 && isIdentity(t.TransferEncoding) {
|
||||
+ if t.Method == "GET" || t.Method == "HEAD" {
|
||||
+ return false
|
||||
+ }
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -310,6 +313,7 @@ func readTransfer(msg interface{}, r *bufio.Reader) (err error) {
|
||||
}
|
||||
case *Request:
|
||||
t.Header = rr.Header
|
||||
+ t.RequestMethod = rr.Method
|
||||
t.ProtoMajor = rr.ProtoMajor
|
||||
t.ProtoMinor = rr.ProtoMinor
|
||||
// Transfer semantics for Requests are exactly like those for
|
||||
@@ -325,7 +329,7 @@ func readTransfer(msg interface{}, r *bufio.Reader) (err error) {
|
||||
}
|
||||
|
||||
// Transfer encoding, content length
|
||||
- t.TransferEncoding, err = fixTransferEncoding(t.RequestMethod, t.Header)
|
||||
+ t.TransferEncoding, err = fixTransferEncoding(isResponse, t.RequestMethod, t.Header)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -413,12 +417,12 @@ func chunked(te []string) bool { return len(te) > 0 && te[0] == "chunked" }
|
||||
func isIdentity(te []string) bool { return len(te) == 1 && te[0] == "identity" }
|
||||
|
||||
// Sanitize transfer encoding
|
||||
-func fixTransferEncoding(requestMethod string, header Header) ([]string, error) {
|
||||
+func fixTransferEncoding(isResponse bool, requestMethod string, header Header) ([]string, error) {
|
||||
raw, present := header["Transfer-Encoding"]
|
||||
if !present {
|
||||
return nil, nil
|
||||
}
|
||||
-
|
||||
+ isRequest := !isResponse
|
||||
delete(header, "Transfer-Encoding")
|
||||
|
||||
encodings := strings.Split(raw[0], ",")
|
||||
@@ -443,10 +447,15 @@ func fixTransferEncoding(requestMethod string, header Header) ([]string, error)
|
||||
return nil, &badStringError{"too many transfer encodings", strings.Join(te, ",")}
|
||||
}
|
||||
if len(te) > 0 {
|
||||
- // Chunked encoding trumps Content-Length. See RFC 2616
|
||||
- // Section 4.4. Currently len(te) > 0 implies chunked
|
||||
- // encoding.
|
||||
- delete(header, "Content-Length")
|
||||
+ // RFC 7230 3.3.2 says "A sender MUST NOT send a
|
||||
+ // Content-Length header field in any message that
|
||||
+ // contains a Transfer-Encoding header field."
|
||||
+ if len(header["Content-Length"]) > 0 {
|
||||
+ if isRequest {
|
||||
+ return nil, errors.New("http: invalid Content-Length with Transfer-Encoding")
|
||||
+ }
|
||||
+ delete(header, "Content-Length")
|
||||
+ }
|
||||
return te, nil
|
||||
}
|
||||
|
||||
@@ -457,9 +466,17 @@ func fixTransferEncoding(requestMethod string, header Header) ([]string, error)
|
||||
// function is not a method, because ultimately it should be shared by
|
||||
// ReadResponse and ReadRequest.
|
||||
func fixLength(isResponse bool, status int, requestMethod string, header Header, te []string) (int64, error) {
|
||||
-
|
||||
+ contentLens := header["Content-Length"]
|
||||
+ isRequest := !isResponse
|
||||
// Logic based on response type or status
|
||||
if noBodyExpected(requestMethod) {
|
||||
+ // For HTTP requests, as part of hardening against request
|
||||
+ // smuggling (RFC 7230), don't allow a Content-Length header for
|
||||
+ // methods which don't permit bodies. As an exception, allow
|
||||
+ // exactly one Content-Length header if its value is "0".
|
||||
+ if isRequest && len(contentLens) > 0 && !(len(contentLens) == 1 && contentLens[0] == "0") {
|
||||
+ return 0, fmt.Errorf("http: method cannot contain a Content-Length; got %q", contentLens)
|
||||
+ }
|
||||
return 0, nil
|
||||
}
|
||||
if status/100 == 1 {
|
||||
@@ -470,13 +487,21 @@ func fixLength(isResponse bool, status int, requestMethod string, header Header,
|
||||
return 0, nil
|
||||
}
|
||||
|
||||
+ if len(contentLens) > 1 {
|
||||
+ // harden against HTTP request smuggling. See RFC 7230.
|
||||
+ return 0, errors.New("http: message cannot contain multiple Content-Length headers")
|
||||
+ }
|
||||
+
|
||||
// Logic based on Transfer-Encoding
|
||||
if chunked(te) {
|
||||
return -1, nil
|
||||
}
|
||||
|
||||
// Logic based on Content-Length
|
||||
- cl := strings.TrimSpace(header.get("Content-Length"))
|
||||
+ var cl string
|
||||
+ if len(contentLens) == 1 {
|
||||
+ cl = strings.TrimSpace(contentLens[0])
|
||||
+ }
|
||||
if cl != "" {
|
||||
n, err := parseContentLength(cl)
|
||||
if err != nil {
|
||||
@@ -487,11 +512,14 @@ func fixLength(isResponse bool, status int, requestMethod string, header Header,
|
||||
header.Del("Content-Length")
|
||||
}
|
||||
|
||||
- if !isResponse && requestMethod == "GET" {
|
||||
- // RFC 2616 doesn't explicitly permit nor forbid an
|
||||
+ if !isResponse {
|
||||
+ // RFC 2616 neither explicitly permits nor forbids an
|
||||
// entity-body on a GET request so we permit one if
|
||||
// declared, but we default to 0 here (not -1 below)
|
||||
// if there's no mention of a body.
|
||||
+ // Likewise, all other request methods are assumed to have
|
||||
+ // no body if neither Transfer-Encoding chunked nor a
|
||||
+ // Content-Length are set.
|
||||
return 0, nil
|
||||
}
|
||||
|
141
golang.spec
141
golang.spec
|
@ -22,6 +22,9 @@
|
|||
%global __spec_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot \
|
||||
/usr/lib/rpm/brp-compress
|
||||
|
||||
# allow turning this off
|
||||
%{!?build_xemacs:%global build_xemacs 1}
|
||||
|
||||
# let this match the macros in macros.golang
|
||||
%global goroot /usr/lib/%{name}
|
||||
%global gopath %{_datadir}/gocode
|
||||
|
@ -40,11 +43,11 @@
|
|||
%endif
|
||||
|
||||
%global go_api 1.5
|
||||
%global go_version 1.5
|
||||
%global go_version 1.5.1
|
||||
|
||||
Name: golang
|
||||
Version: 1.5
|
||||
Release: 6%{?dist}
|
||||
Version: 1.5.1
|
||||
Release: 0%{?dist}
|
||||
Summary: The Go Programming Language
|
||||
|
||||
License: BSD
|
||||
|
@ -424,6 +427,9 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Sep 09 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5.1-0
|
||||
- update to go1.5.1
|
||||
|
||||
* Thu Aug 27 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-6
|
||||
- starting a shared object subpackage. This will be x86_64 only until upstream supports more arches shared objects.
|
||||
|
||||
|
@ -447,42 +453,8 @@ fi
|
|||
* Thu Aug 20 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-1
|
||||
- updating to go1.5
|
||||
|
||||
* Thu Aug 06 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.11.rc1
|
||||
- fixing the sources reference
|
||||
|
||||
* Thu Aug 06 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.10.rc1
|
||||
- updating to go1.5rc1
|
||||
- checks are back in place
|
||||
|
||||
* Tue Aug 04 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.9.beta3
|
||||
- pull in upstream archive/tar fix
|
||||
|
||||
* Thu Jul 30 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.8.beta3
|
||||
- updating to go1.5beta3
|
||||
|
||||
* Thu Jul 30 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.7.beta2
|
||||
- add the patch ..
|
||||
|
||||
* Thu Jul 30 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.6.beta2
|
||||
- increase ELFRESERVE (bz1248071)
|
||||
|
||||
* Tue Jul 28 2015 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.5-0.5.beta2
|
||||
- correct package version and release tags as per naming guidelines
|
||||
|
||||
* Fri Jul 17 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-4.1.5beta2
|
||||
- adding test output, for visibility
|
||||
|
||||
* Fri Jul 10 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-3.1.5beta2
|
||||
- updating to go1.5beta2
|
||||
|
||||
* Fri Jul 10 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-2.1.5beta1
|
||||
- add checksum to sources and fixed one patch
|
||||
|
||||
* Fri Jul 10 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-1.1.5beta1
|
||||
- updating to go1.5beta1
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
* Wed Aug 05 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.2-3
|
||||
- bz1250352
|
||||
|
||||
* Wed Mar 18 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.2-2
|
||||
- obsoleting deprecated packages
|
||||
|
@ -521,64 +493,51 @@ fi
|
|||
* Mon Sep 29 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3.2-1
|
||||
- update to go1.3.2 (bz1147324)
|
||||
|
||||
* Thu Sep 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3.1-3
|
||||
- patching the tzinfo failure
|
||||
|
||||
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3.1-1
|
||||
- update to go1.3.1
|
||||
|
||||
* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-11
|
||||
- merged a line wrong
|
||||
|
||||
* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-10
|
||||
* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-22
|
||||
- more work to get cgo.a timestamps to line up, due to build-env
|
||||
- explicitly list all the files and directories for the source and packages trees
|
||||
|
||||
* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-21
|
||||
- touch cgo.a regardless
|
||||
|
||||
* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-20
|
||||
- rpm dependency ordering for %%post
|
||||
|
||||
* Tue Aug 12 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-19
|
||||
- finally check for a Stale cgo in a %%post
|
||||
|
||||
* Tue Aug 12 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-18
|
||||
- explicitly list all the files and directories for the packages trees
|
||||
|
||||
* Tue Aug 12 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-17
|
||||
- explicitly list all the files and directories of the src tree, to preserve timestamps
|
||||
|
||||
* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-16
|
||||
- touch all the built archives to be the same
|
||||
|
||||
* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-9
|
||||
* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-15
|
||||
- make golang-src 'noarch' again, since that was not a fix, and takes up more space
|
||||
|
||||
* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-8
|
||||
* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-14
|
||||
- update timestamps of source files during %%install bz1099206
|
||||
|
||||
* Fri Aug 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-7
|
||||
* Fri Aug 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-13
|
||||
- update timestamps of source during %%install bz1099206
|
||||
|
||||
* Wed Aug 06 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-6
|
||||
* Fri Aug 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-12
|
||||
- set another version constraint on xemacs due to bz1127518
|
||||
|
||||
* Wed Aug 06 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-11
|
||||
- set a version constraint on xemacs due to bz1127518
|
||||
|
||||
* Wed Aug 06 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-10
|
||||
- make the source subpackage arch'ed, instead of noarch
|
||||
|
||||
* Mon Jul 21 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-5
|
||||
- fix the writing of pax headers
|
||||
|
||||
* Tue Jul 15 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-4
|
||||
* Tue Jul 15 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-9
|
||||
- fix the loading of gdb safe-path. bz981356
|
||||
|
||||
* Tue Jul 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-3
|
||||
* Tue Jul 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-8
|
||||
- `go install std` requires gcc, to build cgo. bz1105901, bz1101508
|
||||
|
||||
* Mon Jul 07 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-2
|
||||
- archive/tar memory allocation improvements
|
||||
|
||||
* Thu Jun 19 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-1
|
||||
- update to go1.3
|
||||
|
||||
* Fri Jun 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3rc2-1
|
||||
- update to go1.3rc2
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3rc1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Tue Jun 03 2014 Vincent Batts <vbatts@redhat.com> 1.3rc1-1
|
||||
- update to go1.3rc1
|
||||
- new arch file shuffling
|
||||
|
||||
* Wed May 21 2014 Vincent Batts <vbatts@redhat.com> 1.3beta2-1
|
||||
- update to go1.3beta2
|
||||
- no longer provides go-mode for xemacs (emacs only)
|
||||
|
||||
* Wed May 21 2014 Vincent Batts <vbatts@redhat.com> 1.2.2-7
|
||||
- bz1099206 ghost files are not what is needed
|
||||
|
||||
|
@ -665,23 +624,17 @@ fi
|
|||
- Pull upstream patches for BZ#1010271
|
||||
- Add glibc requirement that got dropped because of meta dep fix
|
||||
|
||||
* Fri Aug 30 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-4
|
||||
* Thu Sep 19 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.2.2-3
|
||||
- fix the libc meta dependency (thanks to vbatts [at] redhat.com for the fix)
|
||||
|
||||
* Tue Aug 27 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-3
|
||||
- Revert incorrect merged changelog
|
||||
* Fri Aug 16 2013 Adam Miller <admiller@redhat.com> - 1.1.2-2
|
||||
- vim-filesystem only required for Fedora , vim-common owns those files in RHEL
|
||||
|
||||
* Tue Aug 27 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-2
|
||||
- This was reverted, just a placeholder changelog entry for bad merge
|
||||
|
||||
* Tue Aug 20 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-1
|
||||
* Fri Aug 16 2013 Adam Miller <admiller@redhat.com> - 1.1.2-1
|
||||
- Update to latest upstream
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1.1.1-6
|
||||
- Perl 5.18 rebuild
|
||||
* Fri Aug 16 2013 Adam Miller <admiller@redhat.com> - 1.1.1-6
|
||||
- Remove xemacs bits for RHEL build
|
||||
|
||||
* Wed Jul 10 2013 Adam Goode <adam@spicenitz.org> - 1.1.1-5
|
||||
- Blacklist testdata files from prelink
|
||||
|
|
Loading…
Reference in New Issue