Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: broken trailers don't close a server connection #12027

Closed
jeddenlea opened this issue Aug 5, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@jeddenlea
Copy link
Contributor

commented Aug 5, 2015

Hot off the trail of http://golang.org/issue/11930, I think I'm getting a hang of this. I've found yet another class of read error which escapes the checks just put in place: broken HTTP request trailers. Properly crafted requests with broken trailers could pass through one level of protective proxy to unwanted requests to a Go backend.

As discussed in https://go-review.googlesource.com/#/c/12909, some race conditions and other problems still exist that are all worth fixing with a small refactoring, but that would be overkill for the looming 1.5 release. (I've got a working draft to share soon, though)

Using the plumbing just introduced to fix #11930, a surgical fix to the broken trailer problem is fairly trivial. I'll have a CL up momentarily.

@jeddenlea

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2015

@gopherbot

This comment has been minimized.

Copy link

commented Aug 5, 2015

CL https://golang.org/cl/13148 mentions this issue.

@rsc rsc closed this in 26049f6 Aug 5, 2015

@mikioh mikioh added this to the Go1.5 milestone Aug 5, 2015

@golang golang locked and limited conversation to collaborators Aug 5, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.