The kludge is targeted at broken web browsers
like Chrome and IE, but it gets in the way of
sending 400 or 500-series error results with
formatted bodies in response to AJAX requests
made by pages executing in those browsers.
Now the AJAX cases will work and Chrome
and IE will be as broken with Go servers as
they are with all the other servers.
Fixes#2169.
R=bradfitz, dsymonds
CC=golang-dev
https://golang.org/cl/4930047
This adds http.MaxBytesReader, similar to io.LimitReader,
but specific to http, and for preventing a class of DoS
attacks.
This also makes the 10MB ParseForm limit optional (if
not already set by a MaxBytesReader), documents it,
and also adds "PUT" as a valid verb for parsing forms
in the request body.
Improves issue 2093 (DoS protection)
Fixes#2165 (PUT form parsing)
R=golang-dev, adg
CC=golang-dev
https://golang.org/cl/4921049
This is just moving the URL code from package http into its own package,
which has been planned for a while.
Besides clarity, this also breaks a nascent dependency cycle the new template
package was about to introduce.
Add a gofix module, url, and use it to generate changes outside http and url.
Sadness about the churn, gladness about some of the naming improvements.
R=dsymonds, bradfitz, rsc, gustavo, r
CC=golang-dev
https://golang.org/cl/4893043
Something is broken, and investigation is underway.
In the meantime, godoc is broken, so disable sniffing for now
by reverting to the pre-sniffer state.
R=r
CC=golang-dev
https://golang.org/cl/4809046
This follows draft-ietf-websec-mime-sniff-03 in its intent,
though not its algorithmic specification.
R=rsc
CC=golang-dev
https://golang.org/cl/4746042
Change the signature of Split to have no count,
assuming a full split, and rename the existing
Split with a count to SplitN.
Do the same to package bytes.
Add a gofix module.
R=adg, dsymonds, alex.brainman, rsc
CC=golang-dev
https://golang.org/cl/4661051
Previously we were snapshotting the TLS state into *Request
before we did the HTTP ReadRequest, the first Read of which
triggered the TLS handshake implicitly.
Fixes#1956
R=golang-dev, rsc
CC=agl, golang-dev
https://golang.org/cl/4630072
We'll do the right thing by default, but people wanting minimal
response sizes can explicitly remove the Date header.
(empty fields aren't written out)
R=rsc
CC=golang-dev
https://golang.org/cl/4634048
Previously Request and Response had redundant fields for
Referer, UserAgent, and cookies which caused confusion and
bugs. It also didn't allow us to expand the package over
time, since the way to access fields would be in the Headers
one day and promoted to a field the next day. That would be
hard to gofix, especially with code ranging over Headers.
After a discussion on the mail package's design with a similar
problem, we've designed to make the Headers be the source of
truth and add accessors instead.
Request:
change: Referer -> Referer()
change: UserAgent -> UserAgent()
change: Cookie -> Cookies()
new: Cookie(name) *Cookie
new: AddCookie(*Cookie)
Response:
change: Cookie -> Cookies()
Cookie:
new: String() string
R=rsc
CC=golang-dev
https://golang.org/cl/4620049
With the ReadFrom change in the sendfile CL, it became
possible to illegally send a response to a HEAD request if you
did it via io.Copy.
Fixes#1939
R=rsc
CC=golang-dev
https://golang.org/cl/4584049
This fixes our http behavior (even if Handlers forget to
consume a request body, we do it for them before we send
their response header), fixes the racy TestServerExpect,
and adds TestServerConsumesRequestBody.
With GOMAXPROCS>1, the http tests now seem race-free.
R=rsc
CC=golang-dev
https://golang.org/cl/4419042
This mostly adds Expect 100-continue tests (from
the perspective of server correctness) that were
missing before.
It also fixes a few missing cases that will
probably never come up in practice, but it's nice
to have handled correctly.
Proper 100-continue client support remains a TODO.
R=rsc, bradfitzwork
CC=golang-dev
https://golang.org/cl/4399044
The Flush functionality wasn't removed, but now you have
to test if your ResponseWriter is also a Flusher:
func ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if f, ok := rw.(http.Flusher); ok {
f.Flush()
}
}
R=rsc, bradfitzwork
CC=gburd, golang-dev
https://golang.org/cl/4239077
Caller code needs to change:
rw.SetHeader("Content-Type", "text/plain")
to:
rw.Header().Set("Content-Type", "text/plain")
This now permits returning multiple headers
with the same name using Add:
rw.Header().Add("Set-Cookie", "..")
rw.Header().Add("Set-Cookie", "..")
This patch also fixes serialization of headers, removing newline characters.
Fixes#488Fixes#914
R=rsc
CC=gburd, golang-dev
https://golang.org/cl/4239076
The http/cgi package now supports both being
a CGI host or being a CGI child process.
R=rsc, adg, bradfitzwork
CC=golang-dev
https://golang.org/cl/4245070
The Hijack functionality wasn't removed, but now you have
to test if your ResponseWriter is also a Hijacker:
func ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if hj, ok := rw.(http.Hijacker); ok {
hj.Hijack(..)
}
}
R=rsc
CC=golang-dev
https://golang.org/cl/4245064
Currently all http handlers reply to HTTP/1.1 requests with
chunked responses. This patch allows handlers to opt-out of
that behavior by pre-declaring their Content-Length (which is
then enforced) and unsetting their Transfer-Encoding or
setting it to the "identity" encoding.
R=rsc, bradfitzwork
CC=golang-dev
https://golang.org/cl/4245058
This aligns the naming scheme with the testing package and
also lets govet work on more logging calls.
R=rsc
CC=golang-dev
https://golang.org/cl/4001048
RFC2616 sections 4.4 and 14.16:
* Cannot use Content-Length with non-identity Transfer-Encoding
* Content-Range response is "bytes x-y/z" not "x-y/z"
R=rsc
CC=golang-dev
https://golang.org/cl/4018041
In the case where r.Method == "POST", was
calling Printf with an argument but "" format string,
causing a spurious %!EXTRA(...) message.
Also escape string properly in HTML generation.
R=r
CC=golang-dev
https://golang.org/cl/3923043