commit | 261fb518b1ed846d17ed4bf64d95e8a0a7894600 | [log] [tgz] |
---|---|---|
author | Katie Hockman <katie@golang.org> | Fri Apr 23 12:56:01 2021 -0400 |
committer | Katie Hockman <katie@golang.org> | Wed Apr 28 18:38:41 2021 +0000 |
tree | d94e2d14c5b98b39a150d1bd1a6ff88f738fe99c | |
parent | a5fa9d4b7c91aa1c3fecbeb6358ec1127b910dd6 [diff] |
[release-branch.go1.15] http/httpguts: remove recursion in HeaderValuesContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Updates golang/go#45710 Updates golang/go#45711 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> (cherry picked from commit 89ef3d95e781148a0951956029c92a211477f7f9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314650 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
This repository holds supplementary Go networking libraries.
The easiest way to install is to run go get -u golang.org/x/net
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.