Skip to content

net/http: broken trailers don't close a server connection #12027

Closed
@jeddenlea

Description

@jeddenlea

Hot off the trail of http://golang.org/issue/11930, I think I'm getting a hang of this. I've found yet another class of read error which escapes the checks just put in place: broken HTTP request trailers. Properly crafted requests with broken trailers could pass through one level of protective proxy to unwanted requests to a Go backend.

As discussed in https://go-review.googlesource.com/#/c/12909, some race conditions and other problems still exist that are all worth fixing with a small refactoring, but that would be overkill for the looming 1.5 release. (I've got a working draft to share soon, though)

Using the plumbing just introduced to fix #11930, a surgical fix to the broken trailer problem is fairly trivial. I'll have a CL up momentarily.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions