Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: backport "multipart ReadForm close file after copy" to 1.7 #17965

Closed
bradfitz opened this issue Nov 17, 2016 · 2 comments
Closed

net/http: backport "multipart ReadForm close file after copy" to 1.7 #17965

bradfitz opened this issue Nov 17, 2016 · 2 comments
Assignees
@bradfitz
Labels
FrozenDueToAge Security
Milestone
Go1.7.4

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Nov 17, 2016

If we do another release of Go 1.7, back port:

commit 7478ea5dba7ed02ddffd91c1d17ec8141f7cf184
Author: Michael Fraenkel <michael.fraenkel@gmail.com>
Date:   Wed Oct 5 11:27:34 2016 -0400

    net/http: multipart ReadForm close file after copy
    
    Always close the file regardless of whether the copy succeeds or fails.
    Pass along the close error if the copy succeeds
    
    Fixes #16296
    
    Change-Id: Ib394655b91d25750f029f17b3846d985f673fb50
    Reviewed-on: https://go-review.googlesource.com/30410
    Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>

Reportedly, it closes a potential DoS vector, exhausting a server's file descriptors.

/cc @broady @quentinmit
@bradfitz bradfitz added this to the Go1.7.4 milestone Nov 17, 2016
@bradfitz bradfitz changed the title net/http: backport net/http: backport "multipart ReadForm close file after copy" to 1.7 Nov 17, 2016
@bradfitz bradfitz added the Security label Nov 17, 2016
@bradfitz bradfitz self-assigned this Nov 28, 2016
@gopherbot
Copy link

@gopherbot gopherbot commented Nov 28, 2016

CL https://golang.org/cl/33639 mentions this issue.
gopherbot pushed a commit that referenced this issue Dec 1, 2016
@fraenkel @broady
[release-branch.go1.7] net/http: multipart ReadForm close file after …
fab76f0 
…copy

Always close the file regardless of whether the copy succeeds or fails.
Pass along the close error if the copy succeeds

Updates #16296
Fixes #17965

Change-Id: Ib394655b91d25750f029f17b3846d985f673fb50
Reviewed-on: https://go-review.googlesource.com/30410
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/33639
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
@broady
Copy link
Member

@broady broady commented Dec 1, 2016
edited

Included in Go 1.6.4 via f0fa13b:
https://golang.org/cl/33640
@bradfitz bradfitz closed this Dec 1, 2016
@fboudra fboudra mentioned this issue Dec 19, 2016
Merged
mem added a commit to mem/oe-meta-go that referenced this issue Jan 5, 2017
@fboudra @mem
go: update to 1.7.4 release (#19)
ef4bbe8 
Fixes golang/go#17965
Always close the file regardless of whether the copy succeeds or fails.
Pass along the close error if the copy succeeds

Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
@golang golang locked and limited conversation to collaborators Dec 1, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bradfitz bradfitz

Labels
FrozenDueToAge Security
Projects
None yet
Milestone
Go1.7.4
Linked pull requests

Successfully merging a pull request may close this issue.

go: update to 1.7.4 release
3 participants
@bradfitz @broady @gopherbot