tls.Conn.Close() didn't close the underlying connection and tried to
do a handshake in order to send the close notify alert.
http didn't look for errors from the TLS handshake.
Fixes#2281.
R=bradfitz
CC=golang-dev
https://golang.org/cl/5283045
Previously, if an http.Handler didn't fully consume a
Request.Body before returning and the request and the response
from the handler indicated no reason to close the connection,
the server would read an unbounded amount of the request's
unread body to advance past the request message to find the
next request's header. That was a potential DoS.
With this CL there's a threshold under which we read
(currently 256KB) in order to keep the connection in
keep-alive mode, but once we hit that, we instead
switch into a "Connection: close" response and don't
read the request body.
Fixes#2093 (along with number of earlier CLs)
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/5268043
My theory is that suse has larger TCP buffer sizes
by default. I now check over 100MB, rather than over 2MB.
100MB is ~halfway between the 1MB limit and the 200MB
request that's attempted.
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/4926048
This adds http.MaxBytesReader, similar to io.LimitReader,
but specific to http, and for preventing a class of DoS
attacks.
This also makes the 10MB ParseForm limit optional (if
not already set by a MaxBytesReader), documents it,
and also adds "PUT" as a valid verb for parsing forms
in the request body.
Improves issue 2093 (DoS protection)
Fixes#2165 (PUT form parsing)
R=golang-dev, adg
CC=golang-dev
https://golang.org/cl/4921049
This is just moving the URL code from package http into its own package,
which has been planned for a while.
Besides clarity, this also breaks a nascent dependency cycle the new template
package was about to introduce.
Add a gofix module, url, and use it to generate changes outside http and url.
Sadness about the churn, gladness about some of the naming improvements.
R=dsymonds, bradfitz, rsc, gustavo, r
CC=golang-dev
https://golang.org/cl/4893043
Previously we were snapshotting the TLS state into *Request
before we did the HTTP ReadRequest, the first Read of which
triggered the TLS handshake implicitly.
Fixes#1956
R=golang-dev, rsc
CC=agl, golang-dev
https://golang.org/cl/4630072
We'll do the right thing by default, but people wanting minimal
response sizes can explicitly remove the Date header.
(empty fields aren't written out)
R=rsc
CC=golang-dev
https://golang.org/cl/4634048
With the ReadFrom change in the sendfile CL, it became
possible to illegally send a response to a HEAD request if you
did it via io.Copy.
Fixes#1939
R=rsc
CC=golang-dev
https://golang.org/cl/4584049
This appears to have been a long-standing formatting bug.
The test cases has misformatted golden files.
Applied gofmt -w src misc .
Fixes#1839.
R=iant
CC=golang-dev
https://golang.org/cl/4515113
This CL:
-- removes Response.RequestMethod string
-- adds Response.Request *Request
-- removes the finalURL result parameter from client.Get()
-- adds a gofix rule for callers of http.Get which assign
the final url to the blank identifier; warning otherwise
Caller who did:
res, finalURL, err := http.Get(...)
now need to do:
res, err := http.Get(...)
if err != nil {
...
}
finalURL := res.Request.URL.String()
R=rsc
CC=golang-dev
https://golang.org/cl/4535056
An optimization in Transport which re-uses TCP
connections early in the case where there is
no response body interacted poorly with
ErrBodyReadAfterClose. Upon recycling the TCP
connection early we would Close the Response.Body
(in case the user forgot to), but in the case
of a zero-lengthed body, the user's handler might
not have run yet.
This CL makes sure the Transport doesn't try
to Close requests when we're about to immediately
re-use the TCP connection.
This also includes additional tests I wrote
while debugging.
R=rsc, bradfitzgoog
CC=golang-dev
https://golang.org/cl/4529050
This fixes our http behavior (even if Handlers forget to
consume a request body, we do it for them before we send
their response header), fixes the racy TestServerExpect,
and adds TestServerConsumesRequestBody.
With GOMAXPROCS>1, the http tests now seem race-free.
R=rsc
CC=golang-dev
https://golang.org/cl/4419042
This mostly adds Expect 100-continue tests (from
the perspective of server correctness) that were
missing before.
It also fixes a few missing cases that will
probably never come up in practice, but it's nice
to have handled correctly.
Proper 100-continue client support remains a TODO.
R=rsc, bradfitzwork
CC=golang-dev
https://golang.org/cl/4399044
This patch adds a connection cache and keep-alive
support to Transport, which is used by the
HTTP client.
It's also structured such that it's easy to add
HTTP pipelining in the future.
R=rsc, petar-m, bradfitzwork, r
CC=golang-dev
https://golang.org/cl/4272045
Caller code needs to change:
rw.SetHeader("Content-Type", "text/plain")
to:
rw.Header().Set("Content-Type", "text/plain")
This now permits returning multiple headers
with the same name using Add:
rw.Header().Add("Set-Cookie", "..")
rw.Header().Add("Set-Cookie", "..")
This patch also fixes serialization of headers, removing newline characters.
Fixes#488Fixes#914
R=rsc
CC=gburd, golang-dev
https://golang.org/cl/4239076
This also breaks fs_test into two parts
as the range tests test http's private httpRange
and I had to change the fs_test package from
"http" to "http_test" to use httptest which otherwise
has a cyclic depedency back on http.
Aside: we should start exposing the Range
stuff in the future.
R=rsc
CC=golang-dev
https://golang.org/cl/4261047
Currently all http handlers reply to HTTP/1.1 requests with
chunked responses. This patch allows handlers to opt-out of
that behavior by pre-declaring their Content-Length (which is
then enforced) and unsetting their Transfer-Encoding or
setting it to the "identity" encoding.
R=rsc, bradfitzwork
CC=golang-dev
https://golang.org/cl/4245058
Also adds some tests for Issue 900 which was the reason
the current URL parsing is broken. (the previous fix
was wrong)
R=rsc, adg, dangabrad, bradfitzwork
CC=golang-dev
https://golang.org/cl/3910042