Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upnet/http: broken trailers don't close a server connection #12027
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
gopherbot
commented
Aug 5, 2015
|
CL https://golang.org/cl/13148 mentions this issue. |
rsc
closed this
in
26049f6
Aug 5, 2015
mikioh
added this to the Go1.5 milestone
Aug 5, 2015
golang
locked and limited conversation to collaborators
Aug 5, 2016
gopherbot
added
the
FrozenDueToAge
label
Aug 5, 2016
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
jeddenlea commentedAug 5, 2015
Hot off the trail of http://golang.org/issue/11930, I think I'm getting a hang of this. I've found yet another class of read error which escapes the checks just put in place: broken HTTP request trailers. Properly crafted requests with broken trailers could pass through one level of protective proxy to unwanted requests to a Go backend.
As discussed in https://go-review.googlesource.com/#/c/12909, some race conditions and other problems still exist that are all worth fixing with a small refactoring, but that would be overkill for the looming 1.5 release. (I've got a working draft to share soon, though)
Using the plumbing just introduced to fix #11930, a surgical fix to the broken trailer problem is fairly trivial. I'll have a CL up momentarily.