-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: panic on misformed If-None-Match Header with http.ServeContent #39817
Comments
Change https://golang.org/cl/239699 mentions this issue: |
This is not a Denial of Service vulnerability, because the panic is recovered automatically, correct? |
Since the panic is logged, it may lead to remote log flooding and Go http servers cannot defend against this. I believe this fact warrants a backport. |
I put some thought into this question, but i'm entirely unsure about the impact. if used inside a Looking at the code the problem should be present down to Go 1.8 where the |
Submitted to master. Sent Go 1.14 backport as https://go-review.googlesource.com/c/go/+/240343 |
Change https://golang.org/cl/240343 mentions this issue: |
@gopherbot please backport to 1.14. CL at https://golang.org/cl/240343 |
Backport issue(s) opened: #39920 (for 1.14). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
This probably should have requested a freeze exception (which I think should have been granted). We don't keep the main issue open for backports, but use the gopherbot-created one. See http://golang.org/wiki/MinorReleases. Why no backport to Go 1.13? |
@gopherbot please backport to 1.13. CL at https://golang.org/cl/240343. |
Well that didn't work. Opened manually: #39925 |
Change https://golang.org/cl/242077 mentions this issue: |
…in http.ServeContent Updates #39817. Fixes #39925. Change-Id: I79f2ad7c836a8a46569f603aca583fdd526d22dc GitHub-Last-Rev: 5b88aad GitHub-Pull-Request: #39821 Reviewed-on: https://go-review.googlesource.com/c/go/+/239699 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit ce81a8f) Reviewed-on: https://go-review.googlesource.com/c/go/+/242077 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Marcus Weiner <marcus.weiner@gmail.com> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
…in http.ServeContent Updates #39817. Fixes #39920. Change-Id: I79f2ad7c836a8a46569f603aca583fdd526d22dc GitHub-Last-Rev: 5b88aad GitHub-Pull-Request: #39821 Reviewed-on: https://go-review.googlesource.com/c/go/+/239699 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit ce81a8f) Reviewed-on: https://go-review.googlesource.com/c/go/+/240343 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
What version of Go are you using (
go version
)?1.14
Does this issue reproduce with the latest release?
Yep. Problematic code can still be found in master.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
go run main.go
What did you expect to see?
I expected it to print a response with a 200 status code
What did you see instead?
This panic:
This seems to be the problematic code:
https://github.com/golang/go/blob/master/src/net/http/fs.go#L410-L419
The text was updated successfully, but these errors were encountered: