Skip to content

net/http: security fixes for 1.4.3 #12741

@broady

Description

@broady

CVE-2015-5739
"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/

CVE-2015-5740
Double content-length headers does not return 400 error:
https://go-review.googlesource.com/#/c/11810/

CVE-2015-5741
Additional hardening, not sending Content-Length w/Transfer-Encoding,
Closing connections:
https://go-review.googlesource.com/#/c/11810/
https://go-review.googlesource.com/#/c/12865/
https://go-review.googlesource.com/#/c/13148/

The Go team would like to thank Jed Denlea and Régis Leroy for their contributions to this release. They have been awarded 1337 USD under the Google Security Bounty program.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions