Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll [1.19 backport] #56676

Open
gopherbot opened this issue Nov 9, 2022 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone

Comments

@gopherbot
Copy link

gopherbot commented Nov 9, 2022

@neild requested issue #56352 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues, this is a potential request smuggling vector

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Nov 9, 2022
@gopherbot gopherbot modified the milestones: Unreleased, Go1.19.4 Nov 9, 2022
@toothrot
Copy link
Contributor

toothrot commented Nov 16, 2022

@neild Can you provide a little more detail in the justification on the backport? Is this a significant regression or security issue?

@neild neild added the Security label Nov 16, 2022
@neild
Copy link
Contributor

neild commented Nov 16, 2022

@toothrot This is a (minor) security issue.

@cherrymui cherrymui added the CherryPickApproved Used during the release process for point releases label Nov 23, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Development

No branches or pull requests

4 participants