gostls13.git log

commit 50eb39bb23e8b03e823c38e844f0410d0b5325d2 [browse]
Author: Chris Broadfoot
Date: 2015-09-22 21:12:21 -07:00

[release-branch.go1.4] go1.4.3

Change-Id: I9f0c6cf2dfc83f95905e75977a3e679a4152aa41
Reviewed-on: https://go-review.googlesource.com/14855
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit 5d9c28077dee9af1e03dba6c57de08a04e767f13 [browse]
Author: Chris Broadfoot
Date: 2015-09-22 20:45:16 -07:00

[release-branch.go1.4] doc: document go1.4.3

Change-Id: Ib1bfe4038e2b125a31acd9ff7772e462b0a6358f
Reviewed-on: https://go-review.googlesource.com/14852
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-on: https://go-review.googlesource.com/14853

commit cb65428710d70abdaf101defa9cd7eaddff9d925 [browse]
Author: Brad Fitzpatrick
Date: 2015-09-21 16:09:47 +02:00

[release-branch.go1.4] net/http: backport some potential request smuggling vectors from Go 1.5

This CL contains the verbatim tests from these two changes, but with
alternate minimal fixes against the 1.4 tree:

https://go-review.googlesource.com/#/c/12865/
https://go-review.googlesource.com/#/c/13148/

Change-Id: If98c2198e24e30e14a3b7b5e954b504d1f18db89
Reviewed-on: https://go-review.googlesource.com/14802
Reviewed-by: Rob Pike <r@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Run-TryBot: Chris Broadfoot <cbro@golang.org>

commit 8f3395902d3f57887dd11b60d837785107304df4 [browse]
Author: Brad Fitzpatrick
Date: 2015-06-30 14:21:15 -07:00

[release-branch.go1.4] net/http: harden Server against request smuggling

See RFC 7230.

Thanks to Régis Leroy for the report.

Change-Id: Ic1779bc2180900430d4d7a4938cac04ed73c304c
Reviewed-on: https://go-review.googlesource.com/11810
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/14250
Reviewed-by: Andrew Gerrand <adg@golang.org>

commit 8f429671248bbcf956fa8a1b7c3a1072285a3b8b [browse]
Author: Brad Fitzpatrick
Date: 2015-06-30 09:22:41 -07:00

[release-branch.go1.4] net/textproto: don't treat spaces as hyphens in header keys

This was originally done in https://codereview.appspot.com/5690059
(Feb 2012) to deal with bad response headers coming back from webcams,
but it presents a potential security problem with HTTP request
smuggling for request headers containing "Content Length" instead of
"Content-Length".

Part of overall HTTP hardening for request smuggling. See RFC 7230.

Thanks to Régis Leroy for the report.

Change-Id: I92b17fb637c9171c5774ea1437979ae2c17ca88a
Reviewed-on: https://go-review.googlesource.com/11772
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/14249
Reviewed-by: Andrew Gerrand <adg@golang.org>

clone the repository to get more history