| Age | Commit message (Collapse) | Author |
|---|
|
This is Go 1 package renaming CL #3.
This one merely moves the source; the import strings will be
changed after the next weekly release.
This one moves pieces into net.
http -> net/http
http/cgi -> net/http/cgi
http/fcgi -> net/http/fcgi
http/pprof -> net/http/pprof
http/httptest -> net/http/httptest
mail -> net/mail
rpc -> net/rpc
rpc/jsonrpc -> net/rpc/jsonrpc
smtp -> net/smtp
url -> net/url
Also remove rand (now math/rand) from NOTEST - it has a test.
The only edits are in Makefiles and deps.bash.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5335048
|
|
R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/5322051
|
|
tls.Conn.Close() didn't close the underlying connection and tried to
do a handshake in order to send the close notify alert.
http didn't look for errors from the TLS handshake.
Fixes #2281.
R=bradfitz
CC=golang-dev
https://golang.org/cl/5283045
|
|
Fixes #2375.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5279049
|
|
Previously, if an http.Handler didn't fully consume a
Request.Body before returning and the request and the response
from the handler indicated no reason to close the connection,
the server would read an unbounded amount of the request's
unread body to advance past the request message to find the
next request's header. That was a potential DoS.
With this CL there's a threshold under which we read
(currently 256KB) in order to keep the connection in
keep-alive mode, but once we hit that, we instead
switch into a "Connection: close" response and don't
read the request body.
Fixes #2093 (along with number of earlier CLs)
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/5268043
|
|
This implements a replacer for when all old strings are single
bytes, but new values are not.
BenchmarkHTMLEscapeNew 1000000 1090 ns/op
BenchmarkHTMLEscapeOld 1000000 2049 ns/op
R=rsc
CC=golang-dev
https://golang.org/cl/5176043
|
|
Fixes #2312
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/5143049
|
|
Fixes #2263
R=golang-dev, adg
CC=golang-dev
https://golang.org/cl/5076042
|
|
RFC2616 says servers should return this status code when
rejecting requests that are too large.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.14
R=bradfitz
CC=golang-dev
https://golang.org/cl/4962041
|
|
Fixes #2160
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/4930049
|
|
The kludge is targeted at broken web browsers
like Chrome and IE, but it gets in the way of
sending 400 or 500-series error results with
formatted bodies in response to AJAX requests
made by pages executing in those browsers.
Now the AJAX cases will work and Chrome
and IE will be as broken with Go servers as
they are with all the other servers.
Fixes #2169.
R=bradfitz, dsymonds
CC=golang-dev
https://golang.org/cl/4930047
|
|
This adds http.MaxBytesReader, similar to io.LimitReader,
but specific to http, and for preventing a class of DoS
attacks.
This also makes the 10MB ParseForm limit optional (if
not already set by a MaxBytesReader), documents it,
and also adds "PUT" as a valid verb for parsing forms
in the request body.
Improves issue 2093 (DoS protection)
Fixes #2165 (PUT form parsing)
R=golang-dev, adg
CC=golang-dev
https://golang.org/cl/4921049
|
|
This is just moving the URL code from package http into its own package,
which has been planned for a while.
Besides clarity, this also breaks a nascent dependency cycle the new template
package was about to introduce.
Add a gofix module, url, and use it to generate changes outside http and url.
Sadness about the churn, gladness about some of the naming improvements.
R=dsymonds, bradfitz, rsc, gustavo, r
CC=golang-dev
https://golang.org/cl/4893043
|
|
This addresses the biggest DoS in issue 2093
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/4841050
|
|
R=gri, r, r, rsc
CC=golang-dev
https://golang.org/cl/4794047
|
|
R=golang-dev, bradfitz, gri
CC=golang-dev
https://golang.org/cl/4807044
|
|
Something is broken, and investigation is underway.
In the meantime, godoc is broken, so disable sniffing for now
by reverting to the pre-sniffer state.
R=r
CC=golang-dev
https://golang.org/cl/4809046
|
|
This follows draft-ietf-websec-mime-sniff-03 in its intent,
though not its algorithmic specification.
R=rsc
CC=golang-dev
https://golang.org/cl/4746042
|
|
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/4753044
|
|
R=dsymonds
CC=golang-dev
https://golang.org/cl/4746041
|
|
Change the signature of Split to have no count,
assuming a full split, and rename the existing
Split with a count to SplitN.
Do the same to package bytes.
Add a gofix module.
R=adg, dsymonds, alex.brainman, rsc
CC=golang-dev
https://golang.org/cl/4661051
|
|
Fixes #2011
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/4667043
|
|
R=rsc
CC=golang-dev
https://golang.org/cl/4626067
|
|
Previously we were snapshotting the TLS state into *Request
before we did the HTTP ReadRequest, the first Read of which
triggered the TLS handshake implicitly.
Fixes #1956
R=golang-dev, rsc
CC=agl, golang-dev
https://golang.org/cl/4630072
|
|
We'll do the right thing by default, but people wanting minimal
response sizes can explicitly remove the Date header.
(empty fields aren't written out)
R=rsc
CC=golang-dev
https://golang.org/cl/4634048
|
|
Fixes #1964
R=rsc
CC=golang-dev
https://golang.org/cl/4630045
|
|
(Variable is referred to alternately as 'r' and 'req')
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/4648042
|
|
Previously Request and Response had redundant fields for
Referer, UserAgent, and cookies which caused confusion and
bugs. It also didn't allow us to expand the package over
time, since the way to access fields would be in the Headers
one day and promoted to a field the next day. That would be
hard to gofix, especially with code ranging over Headers.
After a discussion on the mail package's design with a similar
problem, we've designed to make the Headers be the source of
truth and add accessors instead.
Request:
change: Referer -> Referer()
change: UserAgent -> UserAgent()
change: Cookie -> Cookies()
new: Cookie(name) *Cookie
new: AddCookie(*Cookie)
Response:
change: Cookie -> Cookies()
Cookie:
new: String() string
R=rsc
CC=golang-dev
https://golang.org/cl/4620049
|
|
Test output now looks like this:
2011/06/15 21:10:41 http: panic serving 127.0.0.1:59729: intentional death for testing
$GOROOT/src/pkg/http/server.go:495 (0x3f9f8)
_func_004: buf.Write(debug.Stack())
$GOROOT/src/pkg/runtime/proc.c:1041 (0x12367)
panic: reflect·call(d->fn, d->args, d->siz);
$GOROOT/src/pkg/http/serve_test.go:775 (0x5831b)
_func_029: panic("intentional death for testing")
$GOROOT/src/pkg/http/server.go:575 (0x26366)
HandlerFunc.ServeHTTP: f(w, r)
$GOROOT/src/pkg/http/server.go:541 (0x261a9)
*conn.serve: c.handler.ServeHTTP(w, w.req)
$GOROOT/src/pkg/runtime/proc.c:178 (0x10a83)
goexit: runtime·goexit(void)
with $GOROOT expanded, of course.
R=bradfitz, rsc
CC=golang-dev
https://golang.org/cl/4607051
|
|
With the ReadFrom change in the sendfile CL, it became
possible to illegally send a response to a HEAD request if you
did it via io.Copy.
Fixes #1939
R=rsc
CC=golang-dev
https://golang.org/cl/4584049
|
|
Fixes #1891
R=rsc
CC=golang-dev
https://golang.org/cl/4550112
|
|
R=rsc
CC=golang-dev
https://golang.org/cl/4559067
|
|
Speeds up static fileserver, avoiding kernel/userspace copies.
Numbers: downloading 14 MB AppEngine Go SDK with ab (Apache Bench)
with 5 threads:
Before/after numbers:
CPU:
user 0m3.910s
sys 0m23.650s
->
user 0m0.720s
sys 0m4.890s
Time taken for tests: 8.906 seconds
->
Time taken for tests: 8.545 seconds
Percentage of the requests served within a certain time (ms)
50% 44
66% 45
75% 46
80% 46
90% 48
95% 51
98% 59
99% 71
100 74 (longest request)
->
50% 42
66% 43
75% 43
80% 44
90% 46
95% 57
98% 62
99% 63
100% 64 (longest request)
R=iant, gary.burd, rsc, bradfitz
CC=golang-dev
https://golang.org/cl/4543071
|
|
R=adg, rsc, kevlar, r
CC=golang-dev
https://golang.org/cl/4476045
|
|
R=golang-dev, bradfitz, dsymonds
CC=golang-dev
https://golang.org/cl/4426069
|
|
R=rsc, bradfitz
CC=golang-dev
https://golang.org/cl/4431068
|
|
Fixes #213
R=r, rsc
CC=golang-dev
https://golang.org/cl/4432043
|
|
This fixes our http behavior (even if Handlers forget to
consume a request body, we do it for them before we send
their response header), fixes the racy TestServerExpect,
and adds TestServerConsumesRequestBody.
With GOMAXPROCS>1, the http tests now seem race-free.
R=rsc
CC=golang-dev
https://golang.org/cl/4419042
|
|
This mostly adds Expect 100-continue tests (from
the perspective of server correctness) that were
missing before.
It also fixes a few missing cases that will
probably never come up in practice, but it's nice
to have handled correctly.
Proper 100-continue client support remains a TODO.
R=rsc, bradfitzwork
CC=golang-dev
https://golang.org/cl/4399044
|
|
rsc's earlier fix, plus tests.
R=rsc
CC=golang-dev
https://golang.org/cl/4285062
|
|
Also don't serialize empty headers.
R=dsymonds, rsc
CC=golang-dev
https://golang.org/cl/4275045
|
|
ResponseWriter.RemoteAddr() string -> Request.RemoteAddr string
ResponseWriter.UsingTLS() bool -> Request.TLS *tls.ConnectionState
R=rsc, bradfitzwork
CC=gburd, golang-dev
https://golang.org/cl/4248075
|
|
The Flush functionality wasn't removed, but now you have
to test if your ResponseWriter is also a Flusher:
func ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if f, ok := rw.(http.Flusher); ok {
f.Flush()
}
}
R=rsc, bradfitzwork
CC=gburd, golang-dev
https://golang.org/cl/4239077
|
|
Caller code needs to change:
rw.SetHeader("Content-Type", "text/plain")
to:
rw.Header().Set("Content-Type", "text/plain")
This now permits returning multiple headers
with the same name using Add:
rw.Header().Add("Set-Cookie", "..")
rw.Header().Add("Set-Cookie", "..")
This patch also fixes serialization of headers, removing newline characters.
Fixes #488
Fixes #914
R=rsc
CC=gburd, golang-dev
https://golang.org/cl/4239076
|
|
The http/cgi package now supports both being
a CGI host or being a CGI child process.
R=rsc, adg, bradfitzwork
CC=golang-dev
https://golang.org/cl/4245070
|
|
net.Conn is itself a io.ReadWriteCloser, so
most code should be unaffected.
R=rsc, gburd
CC=golang-dev
https://golang.org/cl/4261052
|
|
R=adg
CC=golang-dev
https://golang.org/cl/4245065
|
|
The Hijack functionality wasn't removed, but now you have
to test if your ResponseWriter is also a Hijacker:
func ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if hj, ok := rw.(http.Hijacker); ok {
hj.Hijack(..)
}
}
R=rsc
CC=golang-dev
https://golang.org/cl/4245064
|
|
Currently all http handlers reply to HTTP/1.1 requests with
chunked responses. This patch allows handlers to opt-out of
that behavior by pre-declaring their Content-Length (which is
then enforced) and unsetting their Transfer-Encoding or
setting it to the "identity" encoding.
R=rsc, bradfitzwork
CC=golang-dev
https://golang.org/cl/4245058
|
|
R=r
CC=golang-dev
https://golang.org/cl/4169065
|
