net/http: further restrict which trailers may be sent #14188

bradfitz · 2016-02-02T04:04:29Z

http://tools.ietf.org/html/rfc7230#section-4.1.2

   A sender MUST NOT generate a trailer that contains a field necessary
   for message framing (e.g., Transfer-Encoding and Content-Length),
   routing (e.g., Host), request modifiers (e.g., controls and
   conditionals in Section 5 of [RFC7231]), authentication (e.g., see
   [RFC7235] and [RFC6265]), response control data (e.g., see Section
   7.1 of [RFC7231]), or determining how to process the payload (e.g.,
   Content-Encoding, Content-Type, Content-Range, and Trailer).


        http2: reject more trailer values

Updates golang/go#14188 Change-Id: Ic274841422fcb6179c0a782956bbfa336d27f1e1 Reviewed-on: https://go-review.googlesource.com/23230 Reviewed-by: Andrew Gerrand <adg@golang.org>

gopherbot · 2016-05-19T03:00:23Z

CL https://golang.org/cl/23234 mentions this issue.

bradfitz self-assigned this Feb 2, 2016

bradfitz added this to the Go1.7 milestone Feb 2, 2016

gopherbot closed this in 255e206 May 19, 2016

golang locked and limited conversation to collaborators May 19, 2017

gopherbot added the FrozenDueToAge label May 19, 2017

golang / go

net/http: further restrict which trailers may be sent #14188

net/http: further restrict which trailers may be sent #14188

bradfitz commented Feb 2, 2016

This comment has been minimized.

gopherbot commented May 19, 2016

golang / go

Join GitHub today

net/http: further restrict which trailers may be sent #14188

net/http: further restrict which trailers may be sent #14188

Comments

bradfitz commented Feb 2, 2016

This comment has been minimized.

gopherbot commented May 19, 2016