x/net/http2: validate received header values #14029
Closed
Comments
CL https://golang.org/cl/18727 mentions this issue. |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Jan 20, 2016
This validates incoming header field values in Server and Transport to make sure the peer isn't sending us a \x00, CR, NL or other non-VCHAR except space and tab. It does not yet validate that we don't send such things, though. Updates golang/go#14029 Change-Id: I7c6a56d5d0d255f1b8fa64480b34b3b5e1f4f367 Reviewed-on: https://go-review.googlesource.com/18727 Reviewed-by: Andrew Gerrand <adg@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
CL https://golang.org/cl/18728 mentions this issue. |
gopherbot
pushed a commit
that referenced
this issue
Jan 21, 2016
…ternal Updates x/net/http2 to git rev b2ed34f for https://golang.org/cl/18727 Updates #14029 (fixes it enough for Go 1.6) Fixes #13961 Change-Id: Id301247545507671f4e79df0e7c6ec9c421d5a7c Reviewed-on: https://go-review.googlesource.com/18728 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The Go http2 implementation (client & server) validates header values (the
validHeader
func) but I missed the very next sentence in the http2 spec before:https://httpwg.github.io/specs/rfc7540.html#rfc.section.10.3
I only thought to go look because I saw a mention of it in the gRPC wire protocol docs:
Needs to be fixed in both the client & server, next to existing checks like:
The text was updated successfully, but these errors were encountered: