From: Michael Anthony Knyszek Date: Tue, 4 Apr 2023 22:07:09 +0000 (+0000) Subject: html/template,mime/multipart: document new GODEBUG settings X-Git-Tag: go1.21rc1~1035 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=0d719823af1343f9921ee0293596f09e36ced0e4;p=gostls13.git html/template,mime/multipart: document new GODEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. Updates #59234. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482238 Auto-Submit: Michael Knyszek Reviewed-by: Ian Lance Taylor Run-TryBot: Michael Knyszek Reviewed-by: Damien Neil TryBot-Result: Gopher Robot --- diff --git a/doc/godebug.md b/doc/godebug.md index 44f5dfd16d..d760e0f4ef 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -130,7 +130,19 @@ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching). Go 1.21 made it a run-time error to call `panic` with a nil interface value, controlled by the [`panicnil` setting](/pkg/builtin/#panic). -There is no plan to remove this setting. + +Go 1.21 made it an error for html/template actions to appear inside of an ECMAScript 6 +template literal, controlled by the +[`jstmpllitinterp` setting](/pkg/html/template#hdr-Security_Model). +This behavior was backported to Go 1.19.8+ and Go 1.20.3+. + +Go 1.21 introduced a limit on the maximum number of MIME headers and multipart +forms, controlled by the +[`multipartmaxheaders` and `multipartmaxparts` settings](/pkg/mime/multipart#hdr-Limits) +respectively. +This behavior was backported to Go 1.19.8+ and Go 1.20.3+. + +There is no plan to remove any of these settings. ### Go 1.20 diff --git a/src/html/template/doc.go b/src/html/template/doc.go index 57990e8a38..672d42ba32 100644 --- a/src/html/template/doc.go +++ b/src/html/template/doc.go @@ -231,5 +231,12 @@ Least Surprise Property: "A developer (or code reviewer) familiar with HTML, CSS, and JavaScript, who knows that contextual autoescaping happens should be able to look at a {{.}} and correctly infer what sanitization happens." + +As a consequence of the Least Surprise Property, template actions within an +ECMAScript 6 template literal are disabled by default. +Handling string interpolation within these literals is rather complex resulting +in no clear safe way to support it. +To re-enable template actions within ECMAScript 6 template literals, use the +GODEBUG=jstmpllitinterp=1 environment variable. */ package template diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go index 98d48e2bdd..da1f45810e 100644 --- a/src/mime/multipart/multipart.go +++ b/src/mime/multipart/multipart.go @@ -9,6 +9,21 @@ Package multipart implements MIME multipart parsing, as defined in RFC The implementation is sufficient for HTTP (RFC 2388) and the multipart bodies generated by popular browsers. + +# Limits + +To protect against malicious inputs, this package sets limits on the size +of the MIME data it processes. + +Reader.NextPart and Reader.NextRawPart limit the number of headers in a +part to 10000 and Reader.ReadForm limits the total number of headers in all +FileHeaders to 10000. +These limits may be adjusted with the GODEBUG=multipartmaxheaders= +setting. + +Reader.ReadForm further limits the number of parts in a form to 1000. +This limit may be adjusted with the GODEBUG=multipartmaxparts= +setting. */ package multipart