Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Wed, 26 Feb 2025 21:40:00 +0000 (13:40 -0800)
committer	Cherry Mui <cherryyz@google.com>
	Tue, 18 Mar 2025 19:40:27 +0000 (12:40 -0700)
commit	ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0
tree	a37a34027330a01c4b97f2726d95c9d6a7d702c1	tree
parent	fd29397dca4f393a8a9ce6e9c952fa292e07a7f0	commit \| diff

[release-branch.go1.24] net/http: reject newlines in chunk-size lines

Unlike request headers, where we are allowed to leniently accept
a bare LF in place of a CRLF, chunked bodies must always use CRLF
line terminators. We were already enforcing this for chunk-data lines;
do so for chunk-size lines as well. Also reject bare CRs anywhere
other than as part of the CRLF terminator.

Fixes CVE-2025-22871
Fixes #72011
For #71988

Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
Reviewed-by: Jonathan Amsterdam <jba@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/657056

src/net/http/internal/chunked.go		diff \| blob \| history
src/net/http/internal/chunked_test.go		diff \| blob \| history
src/net/http/serve_test.go		diff \| blob \| history