Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=json-isValidNumber 2022-12-21T18:56:32Z 2022-12-21T18:56:32Z Damien Neil dneil@google.com 2022-12-14T17:55:06Z urn:sha1:458241f981e0a8e1d9e0b2f6ae53be62f00001d2 This reverts CL 407414. When forwarding an inbound request that contains an existing X-Forwarded-Host or X-Forwarded-Proto header, a proxy might want to preserve the header from the inbound request, replace it with its own header, or not include any header at all. CL 407414 replaces inbound X-Forwarded-{Host,Proto} headers by default, and allows a Director func to disable sending these headers at all. However, the Director hook API isn't sufficiently flexible to permit the previous behavior of preserving inbound values unchanged. The new Rewrite API does have this flexibility; users of Rewrite can easily pick the exact behavior they want. Revert the change to ReverseProxy when using a Director func. Users who want a convenient way to set X-Forwarded-* headers to reasonable values can migrate to Rewrite at their convenience, and users depending on the current behavior will be unaffected. For #50465. Fixes #57132. Change-Id: Ic42449c1bb525d6c9920bf721efbc519697f4f20 Reviewed-on: https://go-review.googlesource.com/c/go/+/457595 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> 2022-11-22T18:25:01Z Damien Neil dneil@google.com 2022-11-22T17:22:13Z urn:sha1:69ca0a859cbd8807b03b7772a11f5a147cd46565 This reverts CL 450375. Reason for revert: This change causes test failures (and possibly other problems) for users depending on the existing validation behavior. Rolling back the change for now to give us more time to consider its impact. This landed late in the cycle and isn't urgent; it can wait for 1.21 if we do want to make the change. Fixes #56884 For #56732 Change-Id: I082023c67f1bbb933a617453ab92b67abba876ef Reviewed-on: https://go-review.googlesource.com/c/go/+/452795 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> 2022-11-15T00:02:58Z Ian Lance Taylor iant@golang.org 2022-11-14T20:02:23Z urn:sha1:e6ebbefaf848604c8df3e2a58e146948b03e608b Per https://url.spec.whatwg.org/#percent-encoded-bytes an invalid percent encoding should be handled as ordinary text. Fixes #56732 Change-Id: Ib0259dfd704922905289eebaacbf722e28f6d636 Reviewed-on: https://go-review.googlesource.com/c/go/+/450375 Run-TryBot: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> 2022-09-23T21:06:17Z Damien Neil dneil@google.com 2022-09-22T20:32:00Z urn:sha1:7c84234142149bd24a4096c6cab691d3593f3431 Query parameter smuggling occurs when a proxy's interpretation of query parameters differs from that of a downstream server. Change ReverseProxy to avoid forwarding ignored query parameters. Remove unparsable query parameters from the outbound request * if req.Form != nil after calling ReverseProxy.Director; and * before calling ReverseProxy.Rewrite. This change preserves the existing behavior of forwarding the raw query untouched if a Director hook does not parse the query by calling Request.ParseForm (possibly indirectly). Fixes #54663 Fixes CVE-2022-2880 Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9 Reviewed-on: https://go-review.googlesource.com/c/go/+/432976 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com> 2022-09-14T23:59:32Z Kévin Dunglas kevin@dunglas.fr 2022-08-30T10:18:50Z urn:sha1:972870da11bb4ddd3df393473c494bd2b546cc56 Support for 1xx responses has recently been merged in net/http (CL 269997). As discussed in this CL (https://go-review.googlesource.com/c/go/+/269997/comments/1ff70bef_c25a829a), support for forwarding 1xx responses in ReverseProxy has been extracted in this separate patch. According to RFC 7231, "a proxy MUST forward 1xx responses unless the proxy itself requested the generation of the 1xx response". Consequently, all received 1xx responses are automatically forwarded as long as the underlying transport supports ClientTrace.Got1xxResponse. Fixes #26088 Fixes #51914 Change-Id: I3a35ea023b798bfe56b7fb8696d5a49695229cfd GitHub-Last-Rev: dab8a461fb65b547306cae9b4c664e60020a8fa6 GitHub-Pull-Request: golang/go#53164 Reviewed-on: https://go-review.googlesource.com/c/go/+/409536 Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Rhys Hiltner <rhys@justin.tv> Run-TryBot: hopehook <hopehook@golangcn.org> 2022-09-06T17:34:07Z cuiweixie cuiweixie@gmail.com 2022-09-04T10:37:30Z urn:sha1:ce8dcd9879652975d83e0843b1d3d3f593a8a4ff Change-Id: Ifb51413894791154489bd1d4f529088958212c62 Reviewed-on: https://go-review.googlesource.com/c/go/+/428270 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> 2022-08-16T20:01:36Z Damien Neil dneil@google.com 2022-05-18T23:23:28Z urn:sha1:a55793835f16d0242be18aff4ec0bd13494175bd Add a new Rewrite hook to ReverseProxy, superseding the Director hook. Director does not distinguish between the inbound and outbound request, which makes it possible for headers added by Director to be inadvertently removed before forwarding if they are listed in the inbound request's Connection header. Rewrite accepts a value containing the inbound and outbound requests, with hop-by-hop headers already removed from the outbound request, avoiding this problem. ReverseProxy's appends the client IP to the inbound X-Forwarded-For header by default. Users must manually delete untrusted X-Forwarded-For values. When used with a Rewrite hook, ReverseProxy now strips X-Forwarded-* headers by default. NewSingleHostReverseProxy creates a proxy that does not rewrite the Host header of inbound requests. Changing this behavior is cumbersome, as it requires wrapping the Director function created by NewSingleHostReverseProxy. The Rewrite hook's ProxyRequest parameter provides a SetURL method that provides equivalent functionality to NewSingleHostReverseProxy, rewrites the Host header by default, and can be more easily extended with additional customizations. Fixes #28168. Fixes #50580. Fixes #53002. Change-Id: Ib84e2fdd1d52c610e3887af66f517d4a74e594d0 Reviewed-on: https://go-review.googlesource.com/c/go/+/407214 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Damien Neil <dneil@google.com> 2022-08-12T16:38:52Z Damien Neil dneil@google.com 2022-05-19T19:33:05Z urn:sha1:f001df540b3fc66a475985c1b7c810e7df063c8f When ReverseProxy forwards a request with no User-Agent header, leave the header in the forwarded request blank rather than inserting the default Go HTTP clent User-Agent. We already did this for NewSingleHostReverseProxy; generalize it to every ReverseProxy. Change-Id: Id81a230cb8d384acdfae190b78a4265d80720388 Reviewed-on: https://go-review.googlesource.com/c/go/+/407375 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> 2022-08-12T16:38:28Z Damien Neil dneil@google.com 2022-05-19T20:20:21Z urn:sha1:1513e57b704056b794f0706362fa3c949f2972a4 X-Forwarded-Host contains the original request's host. X-Forwarded-Proto contains "http" or "https", depending on whether the original request was made on a TLS-secured connection. Setting either header to nil in Director disables adding the header, same as for X-Forwarded-For. Fixes #50465. Change-Id: If8ed1f48d83f8ea0389c53519bc7994cb53891db Reviewed-on: https://go-review.googlesource.com/c/go/+/407414 Reviewed-by: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 2021-10-13T17:16:12Z James Harris mailjamesharris@gmail.com 2021-09-17T02:29:00Z urn:sha1:4a3daeee636751a262eb9f77d8e90c59955ee6bb This change allows httputil.ReverseProxy to detect SSE (server-sent events) content when the response's Content-Type header includes MIME parameters, such as "text/event-stream;charset=utf-8". Prior to this change the value of the Content-Type header was compared directly to the literal "text/event-stream". This caused a false-negative which failed to set the FlushInterval correctly when MIME parameters were present. Change-Id: If8bb43efb78787b6519d7fe7599ca018a0da0023 GitHub-Last-Rev: 224518c5eb9686ee050c79f5f853ebacfdf6fc42 GitHub-Pull-Request: golang/go#48427 Reviewed-on: https://go-review.googlesource.com/c/go/+/350509 Trust: Alexander Rakoczy <alex@golang.org> Trust: Damien Neil <dneil@google.com> Run-TryBot: Alexander Rakoczy <alex@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com>