aboutsummaryrefslogtreecommitdiff
path: root/src/net/http/internal/chunked_test.go
AgeCommit message (Collapse)Author
2025-02-27net/http: reject newlines in chunk-size linesDamien Neil
Unlike request headers, where we are allowed to leniently accept a bare LF in place of a CRLF, chunked bodies must always use CRLF line terminators. We were already enforcing this for chunk-data lines; do so for chunk-size lines as well. Also reject bare CRs anywhere other than as part of the CRLF terminator. Fixes CVE-2025-22871 Fixes #71988 Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a Reviewed-on: https://go-review.googlesource.com/c/go/+/652998 Reviewed-by: Jonathan Amsterdam <jba@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2024-01-04net/http: respond with 400 Bad Request for empty hex number of chunk lengthAndy Pan
Fixes #64517 Change-Id: I78b8a6a83301deee05c3ff052a6adcd1f965aef2 Reviewed-on: https://go-review.googlesource.com/c/go/+/553835 Auto-Submit: Damien Neil <dneil@google.com> Commit-Queue: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Bryan Mills <bcmills@google.com>
2023-12-05net/http: limit chunked data overheadDamien Neil
The chunked transfer encoding adds some overhead to the content transferred. When writing one byte per chunk, for example, there are five bytes of overhead per byte of data transferred: "1\r\nX\r\n" to send "X". Chunks may include "chunk extensions", which we skip over and do not use. For example: "1;chunk extension here\r\nX\r\n". A malicious sender can use chunk extensions to add about 4k of overhead per byte of data. (The maximum chunk header line size we will accept.) Track the amount of overhead read in chunked data, and produce an error if it seems excessive. Fixes #64433 Fixes CVE-2023-39326 Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/547335 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2021-10-20net/http/internal: return unexpected EOF on incomplete chunk readAlexander Yastrebov
Fixes #48861 Change-Id: I3f55bfbdc4f2cf5b33d1ab2d76e01335bb497c6f GitHub-Last-Rev: 0ecd790b87ddd31d0cf08e8f2726f918a2edd1fb GitHub-Pull-Request: golang/go#48903 Reviewed-on: https://go-review.googlesource.com/c/go/+/355029 Trust: Damien Neil <dneil@google.com> Trust: Daniel Martí <mvdan@mvdan.cc> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
2020-10-20all: update references to symbols moved from io/ioutil to ioRuss Cox
The old ioutil references are still valid, but update our code to reflect best practices and get used to the new locations. Code compiled with the bootstrap toolchain (cmd/asm, cmd/dist, cmd/compile, debug/elf) must remain Go 1.4-compatible and is excluded. Also excluded vendored code. For #41190. Change-Id: I6d86f2bf7bc37a9d904b6cee3fe0c7af6d94d5b1 Reviewed-on: https://go-review.googlesource.com/c/go/+/263142 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
2016-10-18net/http/internal: don't block unnecessarily in ChunkedReaderBrad Fitzpatrick
Fixes #17355 Change-Id: I5390979cd0081b61a639466377faa46b4221b74a Reviewed-on: https://go-review.googlesource.com/31329 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2016-05-06all: use SeekStart, SeekCurrent, SeekEndJoe Tsai
CL/19862 (f79b50b8d5bc159561c1dcf7c17e2a0db96a9a11) recently introduced the constants SeekStart, SeekCurrent, and SeekEnd to the io package. We should use these constants consistently throughout the code base. Updates #15269 Change-Id: If7fcaca7676e4a51f588528f5ced28220d9639a2 Reviewed-on: https://go-review.googlesource.com/22097 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Joe Tsai <joetsai@digital-static.net> TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-01-25net/http: check max size of HTTP chunksBrad Fitzpatrick
Thanks to Régis Leroy for noticing. Change-Id: I5ca2402efddab4e63d884a9d315fc1394e514cb7 Reviewed-on: https://go-review.googlesource.com/18871 Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-11-10net/http/internal: ignore chunk-extension when reading chunked encoding bodiesBrad Fitzpatrick
Fixes #13135 Change-Id: I45666f32cd91102211bf01a306edcb10deb65187 Reviewed-on: https://go-review.googlesource.com/16680 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2014-09-08build: move package sources from src/pkg to srcRuss Cox
Preparation was in CL 134570043. This CL contains only the effect of 'hg mv src/pkg/* src'. For more about the move, see golang.org/s/go14nopkg.
generated by cgit v1.3 (git 2.53.0) at 2026-04-16 01:54:53 +0000