1
0
mirror of https://github.com/golang/go synced 2024-11-27 05:51:17 -07:00
The Go programming language
Go to file
Damien Neil 6446af942e [release-branch.go1.20] net/http: limit chunked data overhead
The chunked transfer encoding adds some overhead to
the content transferred. When writing one byte per
chunk, for example, there are five bytes of overhead
per byte of data transferred: "1\r\nX\r\n" to send "X".

Chunks may include "chunk extensions",
which we skip over and do not use.
For example: "1;chunk extension here\r\nX\r\n".

A malicious sender can use chunk extensions to add
about 4k of overhead per byte of data.
(The maximum chunk header line size we will accept.)

Track the amount of overhead read in chunked data,
and produce an error if it seems excessive.

Updates #64433
Fixes #64434
Fixes CVE-2023-39326

Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2023-12-05 17:18:16 +00:00
.github .github: suggest using private browsing in pkgsite template 2023-01-03 18:52:47 +00:00
api api: promote next to go1.20 2022-12-07 16:56:12 +00:00
doc [release-branch.go1.20] time: revert strict parsing of RFC 3339 2023-01-18 20:42:20 +00:00
lib/time lib/time: update to 2022g/2022g 2022-12-07 00:25:27 +00:00
misc [release-branch.go1.20] cmd/compile: use absolute file name in isCgo check 2023-10-05 18:31:32 +00:00
src [release-branch.go1.20] net/http: limit chunked data overhead 2023-12-05 17:18:16 +00:00
test [release-branch.go1.20] cmd/compile: fix findIndVar so it does not match disjointed loop headers 2023-11-28 20:11:58 +00:00
.gitattributes
.gitignore
codereview.cfg [release-branch.go1.20] update codereview.cfg for release-branch.go1.20 2022-12-07 18:00:33 +00:00
CONTRIBUTING.md
LICENSE
PATENTS
README.md README: update from CC-BY-3.0 to CC-BY-4.0 2022-11-02 20:14:56 +00:00
SECURITY.md
VERSION [release-branch.go1.20] go1.20.11 2023-11-07 17:55:05 +00:00

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 4.0 Attributions license.

Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at https://go.dev/dl/.

After downloading a binary release, visit https://go.dev/doc/install for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit https://go.dev/doc/install/source for source installation instructions.

Contributing

Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines at https://go.dev/doc/contribute.

Note that the Go project uses the issue tracker for bug reports and proposals only. See https://go.dev/wiki/Questions for a list of places to ask questions about the Go language.