]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: c468957) | patch
net/http/fcgi: fix panic with malformed params record
authorDidier Spezia <didier.06@gmail.com>
Sat, 26 Sep 2015 17:21:35 +0000 (17:21 +0000)
committerBrad Fitzpatrick <bradfitz@golang.org>
Sun, 27 Sep 2015 06:57:03 +0000 (06:57 +0000)
commitb7fa4f27ba0c127512f2c4808c628efe842ff660
tree7f4d6e364804b2b7fa34002ced3d23705a9c9ba8tree
parentc4689579c0bcd0ea028e3847e7d407141faa26e2commit | diff
net/http/fcgi: fix panic with malformed params record

As stated in FastCGI specifications:

FastCGI transmits a name-value pair as the length of the name,
followed by the length of the value, followed by the name,
followed by the value.

The current implementation trusts the name and value length
provided in the record, leading to a panic if the record
is malformed.

Added an explicit check on the lengths.

Test case and fix suggested by diogin@gmail.com (Jingcheng Zhang)

Fixes #11824

Change-Id: I883a1982ea46465e1fb02e0e02b6a4df9e529ae4
Reviewed-on: https://go-review.googlesource.com/15015
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
src/net/http/fcgi/child.go diff | blob | history
src/net/http/fcgi/fcgi_test.go diff | blob | history
Go GOST TLS 1.3