| commit | 89ef3d95e781148a0951956029c92a211477f7f9 | [log] [tgz] |
|---|---|---|
| author | Katie Hockman <katie@golang.org> | Fri Apr 23 12:56:01 2021 -0400 |
| committer | Katie Hockman <katie@golang.org> | Wed Apr 28 14:07:49 2021 +0000 |
| tree | 3c1137b738e04271d6dd9246ef9fddf31de0af0b | |
| parent | 85d9c07bbe3a33a875ef21b02f48ac405ad17d5f [diff] |
http/httpguts: remove recursion in HeaderValuesContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Fixes golang/go#45710 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
This repository holds supplementary Go networking libraries.
The easiest way to install is to run go get -u golang.org/x/net. You can also manually git clone the repository to $GOPATH/src/golang.org/x/net.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. The main issue tracker for the net repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.