]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: e938de2) | patch
[release-branch.go1.4] net/textproto: don't treat spaces as hyphens in header keys
authorBrad Fitzpatrick <bradfitz@golang.org>
Tue, 30 Jun 2015 16:22:41 +0000 (09:22 -0700)
committerChris Broadfoot <cbro@golang.org>
Tue, 22 Sep 2015 06:39:39 +0000 (06:39 +0000)
commit8f429671248bbcf956fa8a1b7c3a1072285a3b8b
tree6e445c2c35c6bc118a55bf768f01ec625576750ftree
parente938de22be4ee63d65152024f75d62482d3d69b4commit | diff
[release-branch.go1.4] net/textproto: don't treat spaces as hyphens in header keys

This was originally done in https://codereview.appspot.com/5690059
(Feb 2012) to deal with bad response headers coming back from webcams,
but it presents a potential security problem with HTTP request
smuggling for request headers containing "Content Length" instead of
"Content-Length".

Part of overall HTTP hardening for request smuggling. See RFC 7230.

Thanks to RĂ©gis Leroy for the report.

Change-Id: I92b17fb637c9171c5774ea1437979ae2c17ca88a
Reviewed-on: https://go-review.googlesource.com/11772
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/14249
Reviewed-by: Andrew Gerrand <adg@golang.org>
src/net/http/header.go diff | blob | history
src/net/textproto/reader.go diff | blob | history
src/net/textproto/reader_test.go diff | blob | history
Go GOST TLS 1.3