src/go.mod, net/http: update bundled and latest golang.org/x/net

Updates x/net/http2 to git rev 62affa334b73ec65ed44a326519ac12c421905e3 x/net/http2: reject HTTP/2 Content-Length headers containing a sign https://go-review.googlesource.com/c/net/+/236098/ (fixes #39017) also updates the vendored version of golang.org/x/net by running go get golang.org/x/net@62affa334b73ec65ed44a326519ac12c421905e3 go mod tidy go mod vendor go generate -run bundle net/http Change-Id: I7ecfdb7644574c44c3616e3b47664eefd4c926f3 Reviewed-on: https://go-review.googlesource.com/c/go/+/253238 Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
author: Paschalis Tsilias <paschalis.tsilias@gmail.com> 2020-09-05 15:01:19 +0300
committer: Emmanuel Odeke <emm.odeke@gmail.com> 2020-09-05 16:55:51 +0000
commit: 62fe10bf4e62c97af3bb8eb2ef72d9224a8752ba (patch)
tree: dae8d8fa09114ada175679d958caf7633860d475 /src/net/http
parent: bf833ead6250290dce039ffeee88f20a086b5dbe (diff)
download: go-62fe10bf4e62c97af3bb8eb2ef72d9224a8752ba.tar.xz
1 files changed, 9 insertions, 6 deletions
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
index 463e7e8ce9..458e0b7646 100644
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -5591,7 +5591,11 @@ func (sc *http2serverConn) newWriterAndRequest(st *http2stream, f *http2MetaHead
 	}
 	if bodyOpen {
 		if vv, ok := rp.header["Content-Length"]; ok {
-			req.ContentLength, _ = strconv.ParseInt(vv[0], 10, 64)
+			if cl, err := strconv.ParseUint(vv[0], 10, 63); err == nil {
+				req.ContentLength = int64(cl)
+			} else {
+				req.ContentLength = 0
+			}
 		} else {
 			req.ContentLength = -1
 		}
@@ -5974,9 +5978,8 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) {
 		var ctype, clen string
 		if clen = rws.snapHeader.Get("Content-Length"); clen != "" {
 			rws.snapHeader.Del("Content-Length")
-			clen64, err := strconv.ParseInt(clen, 10, 64)
-			if err == nil && clen64 >= 0 {
-				rws.sentContentLen = clen64
+			if cl, err := strconv.ParseUint(clen, 10, 63); err == nil {
+				rws.sentContentLen = int64(cl)
 			} else {
 				clen = ""
 			}
@@ -8505,8 +8508,8 @@ func (rl *http2clientConnReadLoop) handleResponse(cs *http2clientStream, f *http
 	if !streamEnded || isHead {
 		res.ContentLength = -1
 		if clens := res.Header["Content-Length"]; len(clens) == 1 {
-			if clen64, err := strconv.ParseInt(clens[0], 10, 64); err == nil {
-				res.ContentLength = clen64
+			if cl, err := strconv.ParseUint(clens[0], 10, 63); err == nil {
+				res.ContentLength = int64(cl)
 			} else {
 				// TODO: care? unlike http/1, it won't mess up our framing, so it's
 				// more safe smuggling-wise to ignore.
author	Paschalis Tsilias <paschalis.tsilias@gmail.com>	2020-09-05 15:01:19 +0300
committer	Emmanuel Odeke <emm.odeke@gmail.com>	2020-09-05 16:55:51 +0000
commit	62fe10bf4e62c97af3bb8eb2ef72d9224a8752ba (patch)
tree	dae8d8fa09114ada175679d958caf7633860d475 /src/net/http
parent	bf833ead6250290dce039ffeee88f20a086b5dbe (diff)
download	go-62fe10bf4e62c97af3bb8eb2ef72d9224a8752ba.tar.xz