net/http: Ensure that CONNECT proxied requests respect MaxResponseHeaderBytes - go - Fork of Go programming language with my patches.

diff options

author	Nicholas Husin <husin@google.com>	2025-08-25 13:07:25 +0000
committer	Markus Kusano <kusano@google.com>	2025-08-27 13:40:17 -0700
commit	2ee4b31242e426df757aa09450b744e0af8cb08d (patch)
tree	2368422ab9e6061f8ea35610f9c1748a9ec0f7f1 /src/debug/elf
parent	b21867b1a2a8e276257e3cb81f4a1dc7e8f9e2cd (diff)
download	go-2ee4b31242e426df757aa09450b744e0af8cb08d.tar.xz

net/http: Ensure that CONNECT proxied requests respect MaxResponseHeaderBytes

Currently, CONNECT proxied requests use an unlimited Reader. As a result, a malicious or misbehaving proxy server can send an unlimited number of bytes to a client; causing the client to indefinitely receive bytes until it runs out of memory. To prevent this, we now use a LimitedReader that limits the number of bytes according to MaxResponseHeaderBytes in Transport. If MaxResponseHeaderBytes is not provided, we use the default value of 10 MB that has historically been used (see #26315). Fixes #74633 Change-Id: I0b03bb354139dbc64318874402f7f29cc0fb42ce Reviewed-on: https://go-review.googlesource.com/c/go/+/698915 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Diffstat (limited to 'src/debug/elf')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: