Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Wed, 26 Feb 2025 21:40:00 +0000 (13:40 -0800)
committer	Damien Neil <dneil@google.com>
	Thu, 27 Feb 2025 17:23:42 +0000 (09:23 -0800)
commit	d31c805535f3fde95646ee4d87636aaaea66847b
tree	8b57401f9ba33824598cd363d83520876cf6d798	tree
parent	01351209225d609f8012e2406550211137716727	commit \| diff

net/http: reject newlines in chunk-size lines

Unlike request headers, where we are allowed to leniently accept
a bare LF in place of a CRLF, chunked bodies must always use CRLF
line terminators. We were already enforcing this for chunk-data lines;
do so for chunk-size lines as well. Also reject bare CRs anywhere
other than as part of the CRLF terminator.

Fixes CVE-2025-22871
Fixes #71988

Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
Reviewed-by: Jonathan Amsterdam <jba@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

src/net/http/internal/chunked.go		diff \| blob \| history
src/net/http/internal/chunked_test.go		diff \| blob \| history
src/net/http/serve_test.go		diff \| blob \| history