bz1271709 fix from upstream

Fixes: bz1250353 bz1250352 bz1250374

.gitignore

@@ -23,3 +23,4 @@
 /go1.5beta3.src.tar.gz
 /go1.5rc1.src.tar.gz
 /go1.5.src.tar.gz
+/go1.5.1.src.tar.gz

117ddcb83d7f42d6aa72241240af99ded81118e9.patch

@@ -0,0 +1,135 @@
+commit 117ddcb83d7f42d6aa72241240af99ded81118e9
+Author: Brad Fitzpatrick <bradfitz@golang.org>
+Date:   Tue Jun 30 09:22:41 2015 -0700
+
+    net/textproto: don't treat spaces as hyphens in header keys
+    
+    This was originally done in https://codereview.appspot.com/5690059
+    (Feb 2012) to deal with bad response headers coming back from webcams,
+    but it presents a potential security problem with HTTP request
+    smuggling for request headers containing "Content Length" instead of
+    "Content-Length".
+    
+    Part of overall HTTP hardening for request smuggling. See RFC 7230.
+    
+    Thanks to Régis Leroy for the report.
+    
+    Change-Id: I92b17fb637c9171c5774ea1437979ae2c17ca88a
+    Reviewed-on: https://go-review.googlesource.com/11772
+    Reviewed-by: Russ Cox <rsc@golang.org>
+    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+    TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+diff --git a/src/net/http/header.go b/src/net/http/header.go
+index 153b943..d847b13 100644
+--- a/src/net/http/header.go
++++ b/src/net/http/header.go
+@@ -168,6 +168,8 @@ func (h Header) WriteSubset(w io.Writer, exclude map[string]bool) error {
+ // letter and any letter following a hyphen to upper case;
+ // the rest are converted to lowercase.  For example, the
+ // canonical key for "accept-encoding" is "Accept-Encoding".
++// If s contains a space or invalid header field bytes, it is
++// returned without modifications.
+ func CanonicalHeaderKey(s string) string { return textproto.CanonicalMIMEHeaderKey(s) }
+ 
+ // hasToken reports whether token appears with v, ASCII
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index e4b8f6b..91303fe 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -547,11 +547,16 @@ func (r *Reader) upcomingHeaderNewlines() (n int) {
+ // the rest are converted to lowercase.  For example, the
+ // canonical key for "accept-encoding" is "Accept-Encoding".
+ // MIME header keys are assumed to be ASCII only.
++// If s contains a space or invalid header field bytes, it is
++// returned without modifications.
+ func CanonicalMIMEHeaderKey(s string) string {
+ 	// Quick check for canonical encoding.
+ 	upper := true
+ 	for i := 0; i < len(s); i++ {
+ 		c := s[i]
++		if !validHeaderFieldByte(c) {
++			return s
++		}
+ 		if upper && 'a' <= c && c <= 'z' {
+ 			return canonicalMIMEHeaderKey([]byte(s))
+ 		}
+@@ -565,19 +570,44 @@ func CanonicalMIMEHeaderKey(s string) string {
+ 
+ const toLower = 'a' - 'A'
+ 
++// validHeaderFieldByte reports whether b is a valid byte in a header
++// field key. This is actually stricter than RFC 7230, which says:
++//   tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
++//           "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
++//   token = 1*tchar
++// TODO: revisit in Go 1.6+ and possibly expand this. But note that many
++// servers have historically dropped '_' to prevent ambiguities when mapping
++// to CGI environment variables.
++func validHeaderFieldByte(b byte) bool {
++	return ('A' <= b && b <= 'Z') ||
++		('a' <= b && b <= 'z') ||
++		('0' <= b && b <= '9') ||
++		b == '-'
++}
++
+ // canonicalMIMEHeaderKey is like CanonicalMIMEHeaderKey but is
+ // allowed to mutate the provided byte slice before returning the
+ // string.
++//
++// For invalid inputs (if a contains spaces or non-token bytes), a
++// is unchanged and a string copy is returned.
+ func canonicalMIMEHeaderKey(a []byte) string {
++	// See if a looks like a header key. If not, return it unchanged.
++	for _, c := range a {
++		if validHeaderFieldByte(c) {
++			continue
++		}
++		// Don't canonicalize.
++		return string(a)
++	}
++
+ 	upper := true
+ 	for i, c := range a {
+ 		// Canonicalize: first letter upper case
+ 		// and upper case after each dash.
+ 		// (Host, User-Agent, If-Modified-Since).
+ 		// MIME headers are ASCII only, so no Unicode issues.
+-		if c == ' ' {
+-			c = '-'
+-		} else if upper && 'a' <= c && c <= 'z' {
++		if upper && 'a' <= c && c <= 'z' {
+ 			c -= toLower
+ 		} else if !upper && 'A' <= c && c <= 'Z' {
+ 			c += toLower
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index 6bbd993..8fce7dd 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -24,11 +24,14 @@ var canonicalHeaderKeyTests = []canonicalHeaderKeyTest{
+ 	{"uSER-aGENT", "User-Agent"},
+ 	{"user-agent", "User-Agent"},
+ 	{"USER-AGENT", "User-Agent"},
+-	{"üser-agenT", "üser-Agent"}, // non-ASCII unchanged
++
++	// Non-ASCII or anything with spaces or non-token chars is unchanged:
++	{"üser-agenT", "üser-agenT"},
++	{"a B", "a B"},
+ 
+ 	// This caused a panic due to mishandling of a space:
+-	{"C Ontent-Transfer-Encoding", "C-Ontent-Transfer-Encoding"},
+-	{"foo bar", "Foo-Bar"},
++	{"C Ontent-Transfer-Encoding", "C Ontent-Transfer-Encoding"},
++	{"foo bar", "foo bar"},
+ }
+ 
+ func TestCanonicalMIMEHeaderKey(t *testing.T) {
+@@ -194,7 +197,7 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+ 		"Foo":              {"bar"},
+ 		"Content-Language": {"en"},
+ 		"Sid":              {"0"},
+-		"Audio-Mode":       {"None"},
++		"Audio Mode":       {"None"},
+ 		"Privilege":        {"127"},
+ 	}
+ 	if !reflect.DeepEqual(m, want) || err != nil {

143822585e32449860e624cace9d2e521deee62e.patch

@@ -0,0 +1,112 @@
+commit 143822585e32449860e624cace9d2e521deee62e
+Author: Brad Fitzpatrick <bradfitz@golang.org>
+Date:   Tue Jul 7 13:19:44 2015 -0600
+
+    net/http: revert overly-strict part of earlier smuggling defense
+    
+    The recent https://golang.org/cl/11810 is reportedly a bit too
+    aggressive.
+    
+    Apparently some HTTP requests in the wild do contain both a
+    Transfer-Encoding along with a bogus Content-Length. Instead of
+    returning a 400 Bad Request error, we should just ignore the
+    Content-Length like we did before.
+    
+    Change-Id: I0001be90d09f8293a34f04691f608342875ff5c4
+    Reviewed-on: https://go-review.googlesource.com/11962
+    Reviewed-by: Andrew Gerrand <adg@golang.org>
+    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+    TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+diff --git a/src/net/http/readrequest_test.go b/src/net/http/readrequest_test.go
+index 1a3cf91..60e2be4 100644
+--- a/src/net/http/readrequest_test.go
++++ b/src/net/http/readrequest_test.go
+@@ -178,6 +178,36 @@ var reqTests = []reqTest{
+ 		noError,
+ 	},
+ 
++	// Tests chunked body and a bogus Content-Length which should be deleted.
++	{
++		"POST / HTTP/1.1\r\n" +
++			"Host: foo.com\r\n" +
++			"Transfer-Encoding: chunked\r\n" +
++			"Content-Length: 9999\r\n\r\n" + // to be removed.
++			"3\r\nfoo\r\n" +
++			"3\r\nbar\r\n" +
++			"0\r\n" +
++			"\r\n",
++		&Request{
++			Method: "POST",
++			URL: &url.URL{
++				Path: "/",
++			},
++			TransferEncoding: []string{"chunked"},
++			Proto:            "HTTP/1.1",
++			ProtoMajor:       1,
++			ProtoMinor:       1,
++			Header:           Header{},
++			ContentLength:    -1,
++			Host:             "foo.com",
++			RequestURI:       "/",
++		},
++
++		"foobar",
++		noTrailer,
++		noError,
++	},
++
+ 	// CONNECT request with domain name:
+ 	{
+ 		"CONNECT www.google.com:443 HTTP/1.1\r\n\r\n",
+@@ -400,11 +430,6 @@ Content-Length: 3
+ Content-Length: 4
+ 
+ abc`)},
+-	{"smuggle_chunked_and_len", reqBytes(`POST / HTTP/1.1
+-Transfer-Encoding: chunked
+-Content-Length: 3
+-
+-abc`)},
+ 	{"smuggle_content_len_head", reqBytes(`HEAD / HTTP/1.1
+ Host: foo
+ Content-Length: 5`)},
+diff --git a/src/net/http/transfer.go b/src/net/http/transfer.go
+index 3c868bd..fbbbf24 100644
+--- a/src/net/http/transfer.go
++++ b/src/net/http/transfer.go
+@@ -430,7 +430,6 @@ func fixTransferEncoding(isResponse bool, requestMethod string, header Header) (
+ 	if !present {
+ 		return nil, nil
+ 	}
+-	isRequest := !isResponse
+ 	delete(header, "Transfer-Encoding")
+ 
+ 	encodings := strings.Split(raw[0], ",")
+@@ -458,12 +457,20 @@ func fixTransferEncoding(isResponse bool, requestMethod string, header Header) (
+ 		// RFC 7230 3.3.2 says "A sender MUST NOT send a
+ 		// Content-Length header field in any message that
+ 		// contains a Transfer-Encoding header field."
+-		if len(header["Content-Length"]) > 0 {
+-			if isRequest {
+-				return nil, errors.New("http: invalid Content-Length with Transfer-Encoding")
+-			}
+-			delete(header, "Content-Length")
+-		}
++		//
++		// but also:
++		// "If a message is received with both a
++		// Transfer-Encoding and a Content-Length header
++		// field, the Transfer-Encoding overrides the
++		// Content-Length. Such a message might indicate an
++		// attempt to perform request smuggling (Section 9.5)
++		// or response splitting (Section 9.4) and ought to be
++		// handled as an error. A sender MUST remove the
++		// received Content-Length field prior to forwarding
++		// such a message downstream."
++		//
++		// Reportedly, these appear in the wild.
++		delete(header, "Content-Length")
+ 		return te, nil
+ 	}
+ 

300d9a21583e7cf0149a778a0611e76ff7c6680f.patch

@@ -0,0 +1,225 @@
+commit 300d9a21583e7cf0149a778a0611e76ff7c6680f
+Author: Brad Fitzpatrick <bradfitz@golang.org>
+Date:   Tue Jun 30 14:21:15 2015 -0700
+
+    net/http: harden Server against request smuggling
+    
+    See RFC 7230.
+    
+    Thanks to Régis Leroy for the report.
+    
+    Change-Id: Ic1779bc2180900430d4d7a4938cac04ed73c304c
+    Reviewed-on: https://go-review.googlesource.com/11810
+    Reviewed-by: Russ Cox <rsc@golang.org>
+    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+
+diff --git a/src/net/http/readrequest_test.go b/src/net/http/readrequest_test.go
+index e930d99..1a3cf91 100644
+--- a/src/net/http/readrequest_test.go
++++ b/src/net/http/readrequest_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"bytes"
+ 	"fmt"
+ 	"io"
++	"io/ioutil"
+ 	"net/url"
+ 	"reflect"
+ 	"strings"
+@@ -323,6 +324,32 @@ var reqTests = []reqTest{
+ 		noTrailer,
+ 		noError,
+ 	},
++
++	// HEAD with Content-Length 0. Make sure this is permitted,
++	// since I think we used to send it.
++	{
++		"HEAD / HTTP/1.1\r\nHost: issue8261.com\r\nConnection: close\r\nContent-Length: 0\r\n\r\n",
++		&Request{
++			Method: "HEAD",
++			URL: &url.URL{
++				Path: "/",
++			},
++			Header: Header{
++				"Connection":     []string{"close"},
++				"Content-Length": []string{"0"},
++			},
++			Host:       "issue8261.com",
++			Proto:      "HTTP/1.1",
++			ProtoMajor: 1,
++			ProtoMinor: 1,
++			Close:      true,
++			RequestURI: "/",
++		},
++
++		noBody,
++		noTrailer,
++		noError,
++	},
+ }
+ 
+ func TestReadRequest(t *testing.T) {
+@@ -356,3 +383,39 @@ func TestReadRequest(t *testing.T) {
+ 		}
+ 	}
+ }
++
++// reqBytes treats req as a request (with \n delimiters) and returns it with \r\n delimiters,
++// ending in \r\n\r\n
++func reqBytes(req string) []byte {
++	return []byte(strings.Replace(strings.TrimSpace(req), "\n", "\r\n", -1) + "\r\n\r\n")
++}
++
++var badRequestTests = []struct {
++	name string
++	req  []byte
++}{
++	{"bad_connect_host", reqBytes("CONNECT []%20%48%54%54%50%2f%31%2e%31%0a%4d%79%48%65%61%64%65%72%3a%20%31%32%33%0a%0a HTTP/1.0")},
++	{"smuggle_two_contentlen", reqBytes(`POST / HTTP/1.1
++Content-Length: 3
++Content-Length: 4
++
++abc`)},
++	{"smuggle_chunked_and_len", reqBytes(`POST / HTTP/1.1
++Transfer-Encoding: chunked
++Content-Length: 3
++
++abc`)},
++	{"smuggle_content_len_head", reqBytes(`HEAD / HTTP/1.1
++Host: foo
++Content-Length: 5`)},
++}
++
++func TestReadRequest_Bad(t *testing.T) {
++	for _, tt := range badRequestTests {
++		got, err := ReadRequest(bufio.NewReader(bytes.NewReader(tt.req)))
++		if err == nil {
++			all, err := ioutil.ReadAll(got.Body)
++			t.Errorf("%s: got unexpected request = %#v\n  Body = %q, %v", tt.name, got, all, err)
++		}
++	}
++}
+diff --git a/src/net/http/transfer.go b/src/net/http/transfer.go
+index 5205003..3887604 100644
+--- a/src/net/http/transfer.go
++++ b/src/net/http/transfer.go
+@@ -143,6 +143,9 @@ func (t *transferWriter) shouldSendContentLength() bool {
+ 		return true
+ 	}
+ 	if t.ContentLength == 0 && isIdentity(t.TransferEncoding) {
++		if t.Method == "GET" || t.Method == "HEAD" {
++			return false
++		}
+ 		return true
+ 	}
+ 
+@@ -310,6 +313,7 @@ func readTransfer(msg interface{}, r *bufio.Reader) (err error) {
+ 		}
+ 	case *Request:
+ 		t.Header = rr.Header
++		t.RequestMethod = rr.Method
+ 		t.ProtoMajor = rr.ProtoMajor
+ 		t.ProtoMinor = rr.ProtoMinor
+ 		// Transfer semantics for Requests are exactly like those for
+@@ -325,7 +329,7 @@ func readTransfer(msg interface{}, r *bufio.Reader) (err error) {
+ 	}
+ 
+ 	// Transfer encoding, content length
+-	t.TransferEncoding, err = fixTransferEncoding(t.RequestMethod, t.Header)
++	t.TransferEncoding, err = fixTransferEncoding(isResponse, t.RequestMethod, t.Header)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -413,12 +417,12 @@ func chunked(te []string) bool { return len(te) > 0 && te[0] == "chunked" }
+ func isIdentity(te []string) bool { return len(te) == 1 && te[0] == "identity" }
+ 
+ // Sanitize transfer encoding
+-func fixTransferEncoding(requestMethod string, header Header) ([]string, error) {
++func fixTransferEncoding(isResponse bool, requestMethod string, header Header) ([]string, error) {
+ 	raw, present := header["Transfer-Encoding"]
+ 	if !present {
+ 		return nil, nil
+ 	}
+-
++	isRequest := !isResponse
+ 	delete(header, "Transfer-Encoding")
+ 
+ 	encodings := strings.Split(raw[0], ",")
+@@ -443,10 +447,15 @@ func fixTransferEncoding(requestMethod string, header Header) ([]string, error)
+ 		return nil, &badStringError{"too many transfer encodings", strings.Join(te, ",")}
+ 	}
+ 	if len(te) > 0 {
+-		// Chunked encoding trumps Content-Length. See RFC 2616
+-		// Section 4.4. Currently len(te) > 0 implies chunked
+-		// encoding.
+-		delete(header, "Content-Length")
++		// RFC 7230 3.3.2 says "A sender MUST NOT send a
++		// Content-Length header field in any message that
++		// contains a Transfer-Encoding header field."
++		if len(header["Content-Length"]) > 0 {
++			if isRequest {
++				return nil, errors.New("http: invalid Content-Length with Transfer-Encoding")
++			}
++			delete(header, "Content-Length")
++		}
+ 		return te, nil
+ 	}
+ 
+@@ -457,9 +466,17 @@ func fixTransferEncoding(requestMethod string, header Header) ([]string, error)
+ // function is not a method, because ultimately it should be shared by
+ // ReadResponse and ReadRequest.
+ func fixLength(isResponse bool, status int, requestMethod string, header Header, te []string) (int64, error) {
+-
++	contentLens := header["Content-Length"]
++	isRequest := !isResponse
+ 	// Logic based on response type or status
+ 	if noBodyExpected(requestMethod) {
++		// For HTTP requests, as part of hardening against request
++		// smuggling (RFC 7230), don't allow a Content-Length header for
++		// methods which don't permit bodies. As an exception, allow
++		// exactly one Content-Length header if its value is "0".
++		if isRequest && len(contentLens) > 0 && !(len(contentLens) == 1 && contentLens[0] == "0") {
++			return 0, fmt.Errorf("http: method cannot contain a Content-Length; got %q", contentLens)
++		}
+ 		return 0, nil
+ 	}
+ 	if status/100 == 1 {
+@@ -470,13 +487,21 @@ func fixLength(isResponse bool, status int, requestMethod string, header Header,
+ 		return 0, nil
+ 	}
+ 
++	if len(contentLens) > 1 {
++		// harden against HTTP request smuggling. See RFC 7230.
++		return 0, errors.New("http: message cannot contain multiple Content-Length headers")
++	}
++
+ 	// Logic based on Transfer-Encoding
+ 	if chunked(te) {
+ 		return -1, nil
+ 	}
+ 
+ 	// Logic based on Content-Length
+-	cl := strings.TrimSpace(header.get("Content-Length"))
++	var cl string
++	if len(contentLens) == 1 {
++		cl = strings.TrimSpace(contentLens[0])
++	}
+ 	if cl != "" {
+ 		n, err := parseContentLength(cl)
+ 		if err != nil {
+@@ -487,11 +512,14 @@ func fixLength(isResponse bool, status int, requestMethod string, header Header,
+ 		header.Del("Content-Length")
+ 	}
+ 
+-	if !isResponse && requestMethod == "GET" {
+-		// RFC 2616 doesn't explicitly permit nor forbid an
++	if !isResponse {
++		// RFC 2616 neither explicitly permits nor forbids an
+ 		// entity-body on a GET request so we permit one if
+ 		// declared, but we default to 0 here (not -1 below)
+ 		// if there's no mention of a body.
++		// Likewise, all other request methods are assumed to have
++		// no body if neither Transfer-Encoding chunked nor a
++		// Content-Length are set.
+ 		return 0, nil
+ 	}
+ 

golang-1.5.1-a3156aaa12.patch

@@ -0,0 +1,309 @@
+commit a3156aaa121446c4136927f8c2139fefe05ba82c
+Author: Brad Fitzpatrick <bradfitz@golang.org>
+Date:   Tue Sep 29 14:26:48 2015 -0700
+
+    net/http/httptest: change Server to use http.Server.ConnState for accounting
+    
+    With this CL, httptest.Server now uses connection-level accounting of
+    outstanding requests instead of ServeHTTP-level accounting. This is
+    more robust and results in a non-racy shutdown.
+    
+    This is much easier now that net/http.Server has the ConnState hook.
+    
+    Fixes #12789
+    Fixes #12781
+    
+    Change-Id: I098cf334a6494316acb66cd07df90766df41764b
+    Reviewed-on: https://go-review.googlesource.com/15151
+    Reviewed-by: Andrew Gerrand <adg@golang.org>
+    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+    TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+diff --git a/src/net/http/httptest/server.go b/src/net/http/httptest/server.go
+index 96eb0ef..e4f680f 100644
+--- a/src/net/http/httptest/server.go
++++ b/src/net/http/httptest/server.go
+@@ -7,13 +7,17 @@
+ package httptest
+ 
+ import (
++	"bytes"
+ 	"crypto/tls"
+ 	"flag"
+ 	"fmt"
++	"log"
+ 	"net"
+ 	"net/http"
+ 	"os"
++	"runtime"
+ 	"sync"
++	"time"
+ )
+ 
+ // A Server is an HTTP server listening on a system-chosen port on the
+@@ -34,24 +38,10 @@ type Server struct {
+ 	// wg counts the number of outstanding HTTP requests on this server.
+ 	// Close blocks until all requests are finished.
+ 	wg sync.WaitGroup
+-}
+-
+-// historyListener keeps track of all connections that it's ever
+-// accepted.
+-type historyListener struct {
+-	net.Listener
+-	sync.Mutex // protects history
+-	history    []net.Conn
+-}
+ 
+-func (hs *historyListener) Accept() (c net.Conn, err error) {
+-	c, err = hs.Listener.Accept()
+-	if err == nil {
+-		hs.Lock()
+-		hs.history = append(hs.history, c)
+-		hs.Unlock()
+-	}
+-	return
++	mu     sync.Mutex // guards closed and conns
++	closed bool
++	conns  map[net.Conn]http.ConnState // except terminal states
+ }
+ 
+ func newLocalListener() net.Listener {
+@@ -103,10 +93,9 @@ func (s *Server) Start() {
+ 	if s.URL != "" {
+ 		panic("Server already started")
+ 	}
+-	s.Listener = &historyListener{Listener: s.Listener}
+ 	s.URL = "http://" + s.Listener.Addr().String()
+-	s.wrapHandler()
+-	go s.Config.Serve(s.Listener)
++	s.wrap()
++	s.goServe()
+ 	if *serve != "" {
+ 		fmt.Fprintln(os.Stderr, "httptest: serving on", s.URL)
+ 		select {}
+@@ -134,23 +123,10 @@ func (s *Server) StartTLS() {
+ 	if len(s.TLS.Certificates) == 0 {
+ 		s.TLS.Certificates = []tls.Certificate{cert}
+ 	}
+-	tlsListener := tls.NewListener(s.Listener, s.TLS)
+-
+-	s.Listener = &historyListener{Listener: tlsListener}
++	s.Listener = tls.NewListener(s.Listener, s.TLS)
+ 	s.URL = "https://" + s.Listener.Addr().String()
+-	s.wrapHandler()
+-	go s.Config.Serve(s.Listener)
+-}
+-
+-func (s *Server) wrapHandler() {
+-	h := s.Config.Handler
+-	if h == nil {
+-		h = http.DefaultServeMux
+-	}
+-	s.Config.Handler = &waitGroupHandler{
+-		s: s,
+-		h: h,
+-	}
++	s.wrap()
++	s.goServe()
+ }
+ 
+ // NewTLSServer starts and returns a new Server using TLS.
+@@ -161,43 +137,139 @@ func NewTLSServer(handler http.Handler) *Server {
+ 	return ts
+ }
+ 
++type closeIdleTransport interface {
++	CloseIdleConnections()
++}
++
+ // Close shuts down the server and blocks until all outstanding
+ // requests on this server have completed.
+ func (s *Server) Close() {
+-	s.Listener.Close()
+-	s.wg.Wait()
+-	s.CloseClientConnections()
+-	if t, ok := http.DefaultTransport.(*http.Transport); ok {
++	s.mu.Lock()
++	if !s.closed {
++		s.closed = true
++		s.Listener.Close()
++		s.Config.SetKeepAlivesEnabled(false)
++		for c, st := range s.conns {
++			if st == http.StateIdle {
++				s.closeConn(c)
++			}
++		}
++		// If this server doesn't shut down in 5 seconds, tell the user why.
++		t := time.AfterFunc(5*time.Second, s.logCloseHangDebugInfo)
++		defer t.Stop()
++	}
++	s.mu.Unlock()
++
++	// Not part of httptest.Server's correctness, but assume most
++	// users of httptest.Server will be using the standard
++	// transport, so help them out and close any idle connections for them.
++	if t, ok := http.DefaultTransport.(closeIdleTransport); ok {
+ 		t.CloseIdleConnections()
+ 	}
++
++	s.wg.Wait()
+ }
+ 
+-// CloseClientConnections closes any currently open HTTP connections
+-// to the test Server.
++func (s *Server) logCloseHangDebugInfo() {
++	s.mu.Lock()
++	defer s.mu.Unlock()
++	var buf bytes.Buffer
++	buf.WriteString("httptest.Server blocked in Close after 5 seconds, waiting for connections:\n")
++	for c, st := range s.conns {
++		fmt.Fprintf(&buf, "  %T %p %v in state %v\n", c, c, c.RemoteAddr(), st)
++	}
++	log.Print(buf.String())
++}
++
++// CloseClientConnections closes any open HTTP connections to the test Server.
+ func (s *Server) CloseClientConnections() {
+-	hl, ok := s.Listener.(*historyListener)
+-	if !ok {
+-		return
++	s.mu.Lock()
++	defer s.mu.Unlock()
++	for c := range s.conns {
++		s.closeConn(c)
+ 	}
+-	hl.Lock()
+-	for _, conn := range hl.history {
+-		conn.Close()
++}
++
++func (s *Server) goServe() {
++	s.wg.Add(1)
++	go func() {
++		defer s.wg.Done()
++		s.Config.Serve(s.Listener)
++	}()
++}
++
++// wrap installs the connection state-tracking hook to know which
++// connections are idle.
++func (s *Server) wrap() {
++	oldHook := s.Config.ConnState
++	s.Config.ConnState = func(c net.Conn, cs http.ConnState) {
++		s.mu.Lock()
++		defer s.mu.Unlock()
++		switch cs {
++		case http.StateNew:
++			s.wg.Add(1)
++			if _, exists := s.conns[c]; exists {
++				panic("invalid state transition")
++			}
++			if s.conns == nil {
++				s.conns = make(map[net.Conn]http.ConnState)
++			}
++			s.conns[c] = cs
++			if s.closed {
++				// Probably just a socket-late-binding dial from
++				// the default transport that lost the race (and
++				// thus this connection is now idle and will
++				// never be used).
++				s.closeConn(c)
++			}
++		case http.StateActive:
++			if oldState, ok := s.conns[c]; ok {
++				if oldState != http.StateNew && oldState != http.StateIdle {
++					panic("invalid state transition")
++				}
++				s.conns[c] = cs
++			}
++		case http.StateIdle:
++			if oldState, ok := s.conns[c]; ok {
++				if oldState != http.StateActive {
++					panic("invalid state transition")
++				}
++				s.conns[c] = cs
++			}
++			if s.closed {
++				s.closeConn(c)
++			}
++		case http.StateHijacked, http.StateClosed:
++			s.forgetConn(c)
++		}
++		if oldHook != nil {
++			oldHook(c, cs)
++		}
+ 	}
+-	hl.Unlock()
+ }
+ 
+-// waitGroupHandler wraps a handler, incrementing and decrementing a
+-// sync.WaitGroup on each request, to enable Server.Close to block
+-// until outstanding requests are finished.
+-type waitGroupHandler struct {
+-	s *Server
+-	h http.Handler // non-nil
++// closeConn closes c. Except on plan9, which is special. See comment below.
++// s.mu must be held.
++func (s *Server) closeConn(c net.Conn) {
++	if runtime.GOOS == "plan9" {
++		// Go's Plan 9 net package isn't great at unblocking reads when
++		// their underlying TCP connections are closed.  Don't trust
++		// that that the ConnState state machine will get to
++		// StateClosed. Instead, just go there directly. Plan 9 may leak
++		// resources if the syscall doesn't end up returning. Oh well.
++		s.forgetConn(c)
++	}
++	go c.Close()
+ }
+ 
+-func (h *waitGroupHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+-	h.s.wg.Add(1)
+-	defer h.s.wg.Done() // a defer, in case ServeHTTP below panics
+-	h.h.ServeHTTP(w, r)
++// forgetConn removes c from the set of tracked conns and decrements it from the
++// waitgroup, unless it was previously removed.
++// s.mu must be held.
++func (s *Server) forgetConn(c net.Conn) {
++	if _, ok := s.conns[c]; ok {
++		delete(s.conns, c)
++		s.wg.Done()
++	}
+ }
+ 
+ // localhostCert is a PEM-encoded TLS cert with SAN IPs
+diff --git a/src/net/http/httptest/server_test.go b/src/net/http/httptest/server_test.go
+index 500a9f0..90901ce 100644
+--- a/src/net/http/httptest/server_test.go
++++ b/src/net/http/httptest/server_test.go
+@@ -27,3 +27,30 @@ func TestServer(t *testing.T) {
+ 		t.Errorf("got %q, want hello", string(got))
+ 	}
+ }
++
++// Issue 12781
++func TestGetAfterClose(t *testing.T) {
++	ts := NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		w.Write([]byte("hello"))
++	}))
++
++	res, err := http.Get(ts.URL)
++	if err != nil {
++		t.Fatal(err)
++	}
++	got, err := ioutil.ReadAll(res.Body)
++	if err != nil {
++		t.Fatal(err)
++	}
++	if string(got) != "hello" {
++		t.Fatalf("got %q, want hello", string(got))
++	}
++
++	ts.Close()
++
++	res, err = http.Get(ts.URL)
++	if err == nil {
++		body, _ := ioutil.ReadAll(res.Body)
++		t.Fatalf("Unexected response after close: %v, %v, %s", res.Status, res.Header, body)
++	}
++}

golang.spec

@@ -22,6 +22,9 @@
 %global __spec_install_post /usr/lib/rpm/check-rpaths   /usr/lib/rpm/check-buildroot  \
   /usr/lib/rpm/brp-compress
 
+# allow turning this off
+%{!?build_xemacs:%global build_xemacs 1}
+
 # let this match the macros in macros.golang
 %global goroot          /usr/lib/%{name}
 %global gopath          %{_datadir}/gocode
@@ -40,11 +43,11 @@
 %endif
 
 %global go_api 1.5
-%global go_version 1.5
+%global go_version 1.5.1
 
 Name:           golang
-Version:        1.5
-Release:        6%{?dist}
+Version:        1.5.1
+Release:        1%{?dist}
 Summary:        The Go Programming Language
 
 License:        BSD
@@ -83,6 +86,9 @@ Patch214:       go1.5beta2-disable-TestCloneNEWUSERAndRemapNoRootDisableSetgroup
 # later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
 Patch215:       ./go1.5-zoneinfo_testing_only.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1271709
+Patch216:       ./golang-1.5.1-a3156aaa12.patch
+
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
 
@@ -208,6 +214,8 @@ Summary:        Golang shared object libraries
 # disable TestCloneNEWUSERAndRemapNoRootDisableSetgroups
 %patch214 -p1
 
+%patch216 -p1
+
 %build
 # go1.5 bootstrapping. The compiler is written in golang.
 export GOROOT_BOOTSTRAP=%{goroot}
@@ -424,6 +432,12 @@ fi
 %endif
 
 %changelog
+* Mon Oct 19 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5.1-1
+- bz1271709 include patch from upstream fix
+
+* Wed Sep 09 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5.1-0
+- update to go1.5.1
+
 * Thu Aug 27 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-6
 - starting a shared object subpackage. This will be x86_64 only until upstream supports more arches shared objects.
 
@@ -447,42 +461,8 @@ fi
 * Thu Aug 20 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-1
 - updating to go1.5
 
-* Thu Aug 06 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.11.rc1
-- fixing the sources reference
-
-* Thu Aug 06 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.10.rc1
-- updating to go1.5rc1
-- checks are back in place
-
-* Tue Aug 04 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.9.beta3
-- pull in upstream archive/tar fix
-
-* Thu Jul 30 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.8.beta3
-- updating to go1.5beta3
-
-* Thu Jul 30 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.7.beta2
-- add the patch ..
-
-* Thu Jul 30 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.5-0.6.beta2
-- increase ELFRESERVE (bz1248071)
-
-* Tue Jul 28 2015 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.5-0.5.beta2
-- correct package version and release tags as per naming guidelines
-
-* Fri Jul 17 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-4.1.5beta2
-- adding test output, for visibility
-
-* Fri Jul 10 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-3.1.5beta2
-- updating to go1.5beta2
-
-* Fri Jul 10 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-2.1.5beta1
-- add checksum to sources and fixed one patch
-
-* Fri Jul 10 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.99-1.1.5beta1
-- updating to go1.5beta1
-
-* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+* Wed Aug 05 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.2-3
+- bz1250352
 
 * Wed Mar 18 2015 Vincent Batts <vbatts@fedoraproject.org> - 1.4.2-2
 - obsoleting deprecated packages
@@ -521,64 +501,51 @@ fi
 * Mon Sep 29 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3.2-1
 - update to go1.3.2 (bz1147324)
 
-* Thu Sep 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3.1-3
-- patching the tzinfo failure
-
-* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3.1-1
-- update to go1.3.1
-
-* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-11
-- merged a line wrong
-
-* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-10
+* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-22
 - more work to get cgo.a timestamps to line up, due to build-env
-- explicitly list all the files and directories for the source and packages trees
+
+* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-21
+- touch cgo.a regardless
+
+* Wed Aug 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-20
+- rpm dependency ordering for %%post
+
+* Tue Aug 12 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-19
+- finally check for a Stale cgo in a %%post
+
+* Tue Aug 12 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-18
+- explicitly list all the files and directories for the packages trees
+
+* Tue Aug 12 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-17
+- explicitly list all the files and directories of the src tree, to preserve timestamps
+
+* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-16
 - touch all the built archives to be the same
 
-* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-9
+* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-15
 - make golang-src 'noarch' again, since that was not a fix, and takes up more space
 
-* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-8
+* Mon Aug 11 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-14
 - update timestamps of source files during %%install bz1099206
 
-* Fri Aug 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-7
+* Fri Aug 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-13
 - update timestamps of source during %%install bz1099206
 
-* Wed Aug 06 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-6
+* Fri Aug 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-12
+- set another version constraint on xemacs due to bz1127518
+
+* Wed Aug 06 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-11
+- set a version constraint on xemacs due to bz1127518
+
+* Wed Aug 06 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-10
 - make the source subpackage arch'ed, instead of noarch
 
-* Mon Jul 21 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-5
-- fix the writing of pax headers
-
-* Tue Jul 15 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-4
+* Tue Jul 15 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-9
 - fix the loading of gdb safe-path. bz981356
 
-* Tue Jul 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-3
+* Tue Jul 08 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.2.2-8
 - `go install std` requires gcc, to build cgo. bz1105901, bz1101508
 
-* Mon Jul 07 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-2
-- archive/tar memory allocation improvements
-
-* Thu Jun 19 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3-1
-- update to go1.3
-
-* Fri Jun 13 2014 Vincent Batts <vbatts@fedoraproject.org> - 1.3rc2-1
-- update to go1.3rc2
-
-* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3rc1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-
-* Tue Jun 03 2014 Vincent Batts <vbatts@redhat.com> 1.3rc1-1
-- update to go1.3rc1
-- new arch file shuffling
-
-* Wed May 21 2014 Vincent Batts <vbatts@redhat.com> 1.3beta2-1
-- update to go1.3beta2
-- no longer provides go-mode for xemacs (emacs only)
-
 * Wed May 21 2014 Vincent Batts <vbatts@redhat.com> 1.2.2-7
 - bz1099206 ghost files are not what is needed
 
@@ -665,23 +632,17 @@ fi
 - Pull upstream patches for BZ#1010271
 - Add glibc requirement that got dropped because of meta dep fix
 
-* Fri Aug 30 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-4
+* Thu Sep 19 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.2.2-3
 - fix the libc meta dependency (thanks to vbatts [at] redhat.com for the fix)
 
-* Tue Aug 27 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-3
-- Revert incorrect merged changelog
+* Fri Aug 16 2013 Adam Miller <admiller@redhat.com> - 1.1.2-2
+- vim-filesystem only required for Fedora , vim-common owns those files in RHEL
 
-* Tue Aug 27 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-2
-- This was reverted, just a placeholder changelog entry for bad merge
-
-* Tue Aug 20 2013 Adam Miller <maxamillion@fedoraproject.org> - 1.1.2-1
+* Fri Aug 16 2013 Adam Miller <admiller@redhat.com> - 1.1.2-1
 - Update to latest upstream
 
-* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.1-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
-
-* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1.1.1-6
-- Perl 5.18 rebuild
+* Fri Aug 16 2013 Adam Miller <admiller@redhat.com> - 1.1.1-6
+- Remove xemacs bits for RHEL build
 
 * Wed Jul 10 2013 Adam Goode <adam@spicenitz.org> - 1.1.1-5
 - Blacklist testdata files from prelink

sources

@@ -1 +1 @@
-3f072baece07fa42d18376419afad323  go1.5.src.tar.gz
+4adfbdfca523cc1c229be8a321f3602f  go1.5.1.src.tar.gz