/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: backport "multipart ReadForm close file after copy" to 1.7 #17965

Closed
bradfitz opened this Issue Nov 17, 2016 · 2 comments

Comments

Assignees

@bradfitz bradfitz

Labels
FrozenDueToAge Security
Projects
None yet
Milestone
  Go1.7.4
3 participants
@bradfitz @gopherbot @broady
@bradfitz
Copy link
Member

bradfitz commented Nov 17, 2016

If we do another release of Go 1.7, back port:

commit 7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
Author: Michael Fraenkel <michael.fraenkel@gmail.com>
Date:   Wed Oct 5 11:27:34 2016 -0400

    net/http: multipart ReadForm close file after copy
    
    Always close the file regardless of whether the copy succeeds or fails.
    Pass along the close error if the copy succeeds
    
    Fixes #16296
    
    Change-Id: Ib394655b91d25750f029f17b3846d985f673fb50
    Reviewed-on: https://go-review.googlesource.com/30410
    Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>

Reportedly, it closes a potential DoS vector, exhausting a server's file descriptors.

/cc @broady @quentinmit

@bradfitz bradfitz added this to the Go1.7.4 milestone Nov 17, 2016

@bradfitz bradfitz changed the title net/http: backport net/http: backport "multipart ReadForm close file after copy" to 1.7 Nov 17, 2016

@bradfitz bradfitz added the Security label Nov 17, 2016

@bradfitz bradfitz self-assigned this Nov 28, 2016

@gopherbot

This comment has been minimized.

Sign in to view
Copy link

gopherbot commented Nov 28, 2016

CL https://golang.org/cl/33639 mentions this issue.

gopherbot pushed a commit that referenced this issue Dec 1, 2016

@fraenkel @broady
[release-branch.go1.7] net/http: multipart ReadForm close file after … 
…copy

Always close the file regardless of whether the copy succeeds or fails.
Pass along the close error if the copy succeeds

Updates #16296
Fixes #17965

Change-Id: Ib394655b91d25750f029f17b3846d985f673fb50
Reviewed-on: https://go-review.googlesource.com/30410
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/33639
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
fab76f0
@broady

This comment has been minimized.

Sign in to view
Copy link
Member

broady commented Dec 1, 2016
edited

Included in Go 1.6.4 via f0fa13b:
https://golang.org/cl/33640

@bradfitz bradfitz closed this Dec 1, 2016

fboudra added a commit to fboudra/oe-meta-go that referenced this issue Dec 19, 2016

@fboudra
go: update to 1.7.4 release 
Fixes golang/go#17965
Always close the file regardless of whether the copy succeeds or fails.
Pass along the close error if the copy succeeds

Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
07093a4

@fboudra fboudra referenced this issue Dec 19, 2016

Merged

go: update to 1.7.4 release #19

mem added a commit to mem/oe-meta-go that referenced this issue Jan 5, 2017

@fboudra @mem
go: update to 1.7.4 release (#19) 
Fixes golang/go#17965
Always close the file regardless of whether the copy succeeds or fails.
Pass along the close error if the copy succeeds

Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
ef4bbe8

@golang golang locked and limited conversation to collaborators Dec 1, 2017

@gopherbot gopherbot added the FrozenDueToAge label Dec 1, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.