[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core] [zeus 25/28] go: fix CVE-2019-16276
From: Martin Jansa <martin.jansa () gmail ! com>
Date: 2019-10-31 11:57:29
Message-ID: CA+chaQdopiKmfqoreYzx0Q9saS-vtQpkqvLnwjEm9a9UmZ0dwA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I'm sorry I was looking at wrong build before.
It doesn't happen in zeus and master. Only with warrior where this was
backported as well in:
"[OE-core] [warrior 18/19] go: fix CVE-2019-16276"
Probably because warrior is using older minor version of 1.12 go:
-GO_MINOR = ".1"
+GO_MINOR = ".9"
On Thu, Oct 31, 2019 at 12:49 PM Martin Jansa <martin.jansa@gmail.com>
wrote:
> This seems to cause:
>
> ERROR: go-native-1.12.1-r0 do_patch: Fuzz detected:
>
> Applying patch
> 0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
> patching file src/net/http/serve_test.go
> patching file src/net/http/transport_test.go
> Hunk #1 succeeded at 5059 with fuzz 2 (offset -74 lines).
> patching file src/net/textproto/reader.go
> patching file src/net/textproto/reader_test.go
>
> The context lines in the patches can be updated with devtool:
>
> devtool modify go-native
> devtool finish --force-patch-refresh go-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: go-native-1.12.1-r0 do_patch: QA Issue: Patch log indicates that
> patches do not apply cleanly. [patch-fuzz]
>
> and the same for go-cross and go-runtime.
>
> The version currently in master is the same, so I guess both are showing
> this QA issue.
>
> Regards,
>
> On Sat, Oct 26, 2019 at 8:54 AM Armin Kuster <akuster808@gmail.com> wrote:
>
>> From: Chen Qi <Qi.Chen@windriver.com>
>>
>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> (cherry picked from commit e31f87e289dfd3bbca961e927447a9c7ba816d3f)
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>> meta/recipes-devtools/go/go-1.12.inc | 1 +
>> ...nch.go1.12-security-net-textproto-don-t-n.patch | 163
>> +++++++++++++++++++++
>> 2 files changed, 164 insertions(+)
>> create mode 100644
>> meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
>>
>> diff --git a/meta/recipes-devtools/go/go-1.12.inc
>> b/meta/recipes-devtools/go/go-1.12.inc
>> index 39157ff..ed14b17 100644
>> --- a/meta/recipes-devtools/go/go-1.12.inc
>> +++ b/meta/recipes-devtools/go/go-1.12.inc
>> @@ -16,6 +16,7 @@ SRC_URI += "\
>> file://0006-cmd-dist-separate-host-and-target-builds.patch \
>> file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
>> file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
>> +
>> file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
>> "
>> SRC_URI_append_libc-musl = "
>> file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
>>
>> diff --git
>> a/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
>> b/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
>> new file mode 100644
>> index 0000000..7b39dbd
>> --- /dev/null
>> +++
>> b/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch
>> @@ -0,0 +1,163 @@
>> +From 265b691ac440bfb711d8de323346f7d72e620efe Mon Sep 17 00:00:00 2001
>> +From: Filippo Valsorda <filippo@golang.org>
>> +Date: Thu, 12 Sep 2019 12:37:36 -0400
>> +Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't
>> + normalize headers with spaces before the colon
>> +
>> +RFC 7230 is clear about headers with a space before the colon, like
>> +
>> +X-Answer : 42
>> +
>> +being invalid, but we've been accepting and normalizing them for
>> compatibility
>> +purposes since CL 5690059 in 2012.
>> +
>> +On the client side, this is harmless and indeed most browsers behave the
>> same
>> +to this day. On the server side, this becomes a security issue when the
>> +behavior doesn't match that of a reverse proxy sitting in front of the
>> server.
>> +
>> +For example, if a WAF accepts them without normalizing them, it might be
>> +possible to bypass its filters, because the Go server would interpret the
>> +header differently. Worse, if the reverse proxy coalesces requests onto a
>> +single HTTP/1.1 connection to a Go server, the understanding of the
>> request
>> +boundaries can get out of sync between them, allowing an attacker to
>> tack an
>> +arbitrary method and path onto a request by other clients, including
>> +authentication headers unknown to the attacker.
>> +
>> +This was recently presented at multiple security conferences:
>> +
>> https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
>> +
>> +net/http servers already reject header keys with invalid characters.
>> +Simply stop normalizing extra spaces in net/textproto, let it return them
>> +unchanged like it does for other invalid headers, and let net/http
>> enforce
>> +RFC 7230, which is HTTP specific. This loses us normalization on the
>> client
>> +side, but there's no right answer on the client side anyway, and hiding
>> the
>> +issue sounds worse than letting the application decide.
>> +
>> +Fixes CVE-2019-16276
>> +
>> +Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1
>> +Reviewed-on:
>> https://team-review.git.corp.google.com/c/golang/go-private/+/549719
>> +Reviewed-by
>> <https://team-review.git.corp.google.com/c/golang/go-private/+/549719+Reviewed-by>:
>> Brad Fitzpatrick <bradfitz@google.com>
>> +(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082)
>> +Reviewed-on:
>> https://team-review.git.corp.google.com/c/golang/go-private/+/558776
>> +Reviewed-by
>> <https://team-review.git.corp.google.com/c/golang/go-private/+/558776+Reviewed-by>:
>> Dmitri Shuralyov <dmitshur@google.com>
>> +
>> +CVE: CVE-2019-16276
>> +
>> +Upstream-Status: Backport [
>> https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
>> ]
>> +
>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> +---
>> + src/net/http/serve_test.go | 4 ++++
>> + src/net/http/transport_test.go | 27 +++++++++++++++++++++++++++
>> + src/net/textproto/reader.go | 10 ++--------
>> + src/net/textproto/reader_test.go | 13 ++++++-------
>> + 4 files changed, 39 insertions(+), 15 deletions(-)
>> +
>> +diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
>> +index 6eb0088a96..89bfdfbb82 100644
>> +--- a/src/net/http/serve_test.go
>> ++++ b/src/net/http/serve_test.go
>> +@@ -4748,6 +4748,10 @@ func TestServerValidatesHeaders(t *testing.T) {
>> + {"foo\xffbar: foo\r\n", 400}, //
>> binary in header
>> + {"foo\x00bar: foo\r\n", 400}, //
>> binary in header
>> + {"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, //
>> header too large
>> ++ // Spaces between the header key and colon are not
>> allowed.
>> ++ // See RFC 7230, Section 3.2.4.
>> ++ {"Foo : bar\r\n", 400},
>> ++ {"Foo\t: bar\r\n", 400},
>> +
>> + {"foo: foo foo\r\n", 200}, // LWS space is okay
>> + {"foo: foo\tfoo\r\n", 200}, // LWS tab is okay
>> +diff --git a/src/net/http/transport_test.go
>> b/src/net/http/transport_test.go
>> +index 5c329543e2..5e5438a708 100644
>> +--- a/src/net/http/transport_test.go
>> ++++ b/src/net/http/transport_test.go
>> +@@ -5133,3 +5133,30 @@ func TestTransportIgnores408(t *testing.T) {
>> + }
>> + t.Fatalf("timeout after %v waiting for Transport connections to
>> die off", time.Since(t0))
>> + }
>> ++
>> ++func TestInvalidHeaderResponse(t *testing.T) {
>> ++ setParallel(t)
>> ++ defer afterTest(t)
>> ++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w
>> ResponseWriter, r *Request) {
>> ++ conn, buf, _ := w.(Hijacker).Hijack()
>> ++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
>> ++ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
>> ++ "Content-Type: text/html; charset=utf-8\r\n" +
>> ++ "Content-Length: 0\r\n" +
>> ++ "Foo : bar\r\n\r\n"))
>> ++ buf.Flush()
>> ++ conn.Close()
>> ++ }))
>> ++ defer cst.close()
>> ++ res, err := cst.c.Get(cst.ts.URL)
>> ++ if err != nil {
>> ++ t.Fatal(err)
>> ++ }
>> ++ defer res.Body.Close()
>> ++ if v := res.Header.Get("Foo"); v != "" {
>> ++ t.Errorf(`unexpected "Foo" header: %q`, v)
>> ++ }
>> ++ if v := res.Header.Get("Foo "); v != "bar" {
>> ++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
>> ++ }
>> ++}
>> +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
>> +index 2c4f25d5ae..1a5e364cf7 100644
>> +--- a/src/net/textproto/reader.go
>> ++++ b/src/net/textproto/reader.go
>> +@@ -493,18 +493,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader,
>> error) {
>> + return m, err
>> + }
>> +
>> +- // Key ends at first colon; should not have trailing
>> spaces
>> +- // but they appear in the wild, violating specs, so we
>> remove
>> +- // them if present.
>> ++ // Key ends at first colon.
>> + i := bytes.IndexByte(kv, ':')
>> + if i < 0 {
>> + return m, ProtocolError("malformed MIME header
>> line: " + string(kv))
>> + }
>> +- endKey := i
>> +- for endKey > 0 && kv[endKey-1] == ' ' {
>> +- endKey--
>> +- }
>> +- key := canonicalMIMEHeaderKey(kv[:endKey])
>> ++ key := canonicalMIMEHeaderKey(kv[:i])
>> +
>> + // As per RFC 7230 field-name is a token, tokens consist
>> of one or more chars.
>> + // We could return a ProtocolError here, but better to be
>> liberal in what we
>> +diff --git a/src/net/textproto/reader_test.go
>> b/src/net/textproto/reader_test.go
>> +index f85fbdc36d..b92fdcd3c7 100644
>> +--- a/src/net/textproto/reader_test.go
>> ++++ b/src/net/textproto/reader_test.go
>> +@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) {
>> + }
>> + }
>> +
>> +-// Test that we read slightly-bogus MIME headers seen in the wild,
>> +-// with spaces before colons, and spaces in keys.
>> ++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
>> ++// with spaces before colons, and accept spaces in keys.
>> + func TestReadMIMEHeaderNonCompliant(t *testing.T) {
>> +- // Invalid HTTP response header as sent by an Axis security
>> +- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
>> ++ // These invalid headers will be rejected by net/http according
>> to RFC 7230.
>> + r := reader("Foo: bar\r\n" +
>> + "Content-Language: en\r\n" +
>> + "SID : 0\r\n" +
>> +@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
>> + want := MIMEHeader{
>> + "Foo": {"bar"},
>> + "Content-Language": {"en"},
>> +- "Sid": {"0"},
>> +- "Audio Mode": {"None"},
>> +- "Privilege": {"127"},
>> ++ "SID ": {"0"},
>> ++ "Audio Mode ": {"None"},
>> ++ "Privilege ": {"127"},
>> + }
>> + if !reflect.DeepEqual(m, want) || err != nil {
>> + t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err,
>> want)
>> --
>> 2.7.4
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>
[Attachment #5 (text/html)]
<div dir="ltr">I'm sorry I was looking at wrong build \
before.<div><br></div><div>It doesn't happen in zeus and master. Only with \
warrior where this was backported as well in:</div><div>"[OE-core] [warrior \
18/19] go: fix CVE-2019-16276"</div><div><br></div><div>Probably because warrior \
is using older minor version of 1.12 go:</div><div>-GO_MINOR = \
".1"<br>+GO_MINOR = ".9"<br></div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 31, 2019 at 12:49 \
PM Martin Jansa <<a \
href="mailto:martin.jansa@gmail.com">martin.jansa@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">This \
seems to cause:<div><br></div><div>ERROR: go-native-1.12.1-r0 do_patch: Fuzz \
detected:<br><br>Applying patch \
0001-release-branch.go1.12-security-net-textproto-don-t-n.patch<br>patching file \
src/net/http/serve_test.go<br>patching file src/net/http/transport_test.go<br>Hunk #1 \
succeeded at 5059 with fuzz 2 (offset -74 lines).<br>patching file \
src/net/textproto/reader.go<br>patching file \
src/net/textproto/reader_test.go<br><br>The context lines in the patches can be \
updated with devtool:<br><br> devtool modify go-native<br> devtool finish \
--force-patch-refresh go-native <layer_path><br><br>Don't forget to review \
changes done by devtool!<br><br>ERROR: go-native-1.12.1-r0 do_patch: QA Issue: Patch \
log indicates that patches do not apply cleanly. \
[patch-fuzz]<br></div><div><br></div><div>and the same for go-cross and \
go-runtime.</div><div><br></div><div>The version currently in master is the same, so \
I guess both are showing this QA \
issue.</div><div><br></div><div>Regards,</div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Sat, Oct 26, 2019 at 8:54 AM Armin Kuster <<a \
href="mailto:akuster808@gmail.com" target="_blank">akuster808@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Chen Qi <<a \
href="mailto:Qi.Chen@windriver.com" target="_blank">Qi.Chen@windriver.com</a>><br> \
<br>
Signed-off-by: Chen Qi <<a href="mailto:Qi.Chen@windriver.com" \
target="_blank">Qi.Chen@windriver.com</a>><br>
Signed-off-by: Richard Purdie <<a href="mailto:richard.purdie@linuxfoundation.org" \
target="_blank">richard.purdie@linuxfoundation.org</a>><br> (cherry picked from \
commit e31f87e289dfd3bbca961e927447a9c7ba816d3f)<br>
Signed-off-by: Armin Kuster <<a href="mailto:akuster808@gmail.com" \
target="_blank">akuster808@gmail.com</a>><br>
---<br>
meta/recipes-devtools/go/go-1.12.inc | 1 +<br>
...nch.go1.12-security-net-textproto-don-t-n.patch | 163 +++++++++++++++++++++<br>
2 files changed, 164 insertions(+)<br>
create mode 100644 \
meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch<br>
<br>
diff --git a/meta/recipes-devtools/go/go-1.12.inc \
b/meta/recipes-devtools/go/go-1.12.inc<br> index 39157ff..ed14b17 100644<br>
--- a/meta/recipes-devtools/go/go-1.12.inc<br>
+++ b/meta/recipes-devtools/go/go-1.12.inc<br>
@@ -16,6 +16,7 @@ SRC_URI += "\<br>
file://0006-cmd-dist-separate-host-and-target-builds.patch \<br>
file://0007-cmd-go-make-GOROOT-precious-by-default.patch \<br>
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \<br>
+ file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \<br>
"<br>
SRC_URI_append_libc-musl = " \
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"<br> <br>
diff --git a/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
b/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch<br>
new file mode 100644<br>
index 0000000..7b39dbd<br>
--- /dev/null<br>
+++ b/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch<br>
@@ -0,0 +1,163 @@<br>
+From 265b691ac440bfb711d8de323346f7d72e620efe Mon Sep 17 00:00:00 2001<br>
+From: Filippo Valsorda <<a href="mailto:filippo@golang.org" \
target="_blank">filippo@golang.org</a>><br> +Date: Thu, 12 Sep 2019 12:37:36 \
-0400<br> +Subject: [PATCH] [release-branch.go1.12-security] net/textproto: \
don't<br> + normalize headers with spaces before the colon<br>
+<br>
+RFC 7230 is clear about headers with a space before the colon, like<br>
+<br>
+X-Answer : 42<br>
+<br>
+being invalid, but we've been accepting and normalizing them for \
compatibility<br> +purposes since CL 5690059 in 2012.<br>
+<br>
+On the client side, this is harmless and indeed most browsers behave the same<br>
+to this day. On the server side, this becomes a security issue when the<br>
+behavior doesn't match that of a reverse proxy sitting in front of the \
server.<br> +<br>
+For example, if a WAF accepts them without normalizing them, it might be<br>
+possible to bypass its filters, because the Go server would interpret the<br>
+header differently. Worse, if the reverse proxy coalesces requests onto a<br>
+single HTTP/1.1 connection to a Go server, the understanding of the request<br>
+boundaries can get out of sync between them, allowing an attacker to tack an<br>
+arbitrary method and path onto a request by other clients, including<br>
+authentication headers unknown to the attacker.<br>
+<br>
+This was recently presented at multiple security conferences:<br>
+<a href="https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn" \
rel="noreferrer" target="_blank">https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn</a><br>
+<br>
+net/http servers already reject header keys with invalid characters.<br>
+Simply stop normalizing extra spaces in net/textproto, let it return them<br>
+unchanged like it does for other invalid headers, and let net/http enforce<br>
+RFC 7230, which is HTTP specific. This loses us normalization on the client<br>
+side, but there's no right answer on the client side anyway, and hiding the<br>
+issue sounds worse than letting the application decide.<br>
+<br>
+Fixes CVE-2019-16276<br>
+<br>
+Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1<br>
+Reviewed-on: <a href="https://team-review.git.corp.google.com/c/golang/go-private/+/549719+Reviewed-by" \
rel="noreferrer" target="_blank">https://team-review.git.corp.google.com/c/golang/go-private/+/549719<br>
+Reviewed-by</a>: Brad Fitzpatrick <<a href="mailto:bradfitz@google.com" \
target="_blank">bradfitz@google.com</a>><br> +(cherry picked from commit \
1280b868e82bf173ea3e988be3092d160ee66082)<br> +Reviewed-on: <a \
href="https://team-review.git.corp.google.com/c/golang/go-private/+/558776+Reviewed-by" \
rel="noreferrer" target="_blank">https://team-review.git.corp.google.com/c/golang/go-private/+/558776<br>
+Reviewed-by</a>: Dmitri Shuralyov <<a href="mailto:dmitshur@google.com" \
target="_blank">dmitshur@google.com</a>><br> +<br>
+CVE: CVE-2019-16276<br>
+<br>
+Upstream-Status: Backport [<a \
href="https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8</a>]<br>
+<br>
+Signed-off-by: Chen Qi <<a href="mailto:Qi.Chen@windriver.com" \
target="_blank">Qi.Chen@windriver.com</a>><br> +---<br>
+ src/net/http/serve_test.go | 4 ++++<br>
+ src/net/http/transport_test.go | 27 +++++++++++++++++++++++++++<br>
+ src/net/textproto/reader.go | 10 ++--------<br>
+ src/net/textproto/reader_test.go | 13 ++++++-------<br>
+ 4 files changed, 39 insertions(+), 15 deletions(-)<br>
+<br>
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go<br>
+index 6eb0088a96..89bfdfbb82 100644<br>
+--- a/src/net/http/serve_test.go<br>
++++ b/src/net/http/serve_test.go<br>
+@@ -4748,6 +4748,10 @@ func TestServerValidatesHeaders(t *testing.T) {<br>
+ {"foo\xffbar: foo\r\n", 400}, \
// binary in header<br> + {"foo\x00bar: foo\r\n", \
400}, // binary in header<br> + \
{"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", \
431}, // header too large<br> ++ // Spaces between the header key \
and colon are not allowed.<br> ++ // See RFC 7230, Section \
3.2.4.<br> ++ {"Foo : bar\r\n", 400},<br>
++ {"Foo\t: bar\r\n", 400},<br>
+ <br>
+ {"foo: foo foo\r\n", 200}, // LWS space is \
okay<br> + {"foo: foo\tfoo\r\n", 200}, // LWS tab \
is okay<br> +diff --git a/src/net/http/transport_test.go \
b/src/net/http/transport_test.go<br> +index 5c329543e2..5e5438a708 100644<br>
+--- a/src/net/http/transport_test.go<br>
++++ b/src/net/http/transport_test.go<br>
+@@ -5133,3 +5133,30 @@ func TestTransportIgnores408(t *testing.T) {<br>
+ }<br>
+ t.Fatalf("timeout after %v waiting for Transport connections to die \
off", time.Since(t0))<br> + }<br>
++<br>
++func TestInvalidHeaderResponse(t *testing.T) {<br>
++ setParallel(t)<br>
++ defer afterTest(t)<br>
++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r \
*Request) {<br> ++ conn, buf, _ := w.(Hijacker).Hijack()<br>
++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" +<br>
++ "Date: Wed, 30 Aug 2017 19:09:27 \
GMT\r\n" +<br> ++ "Content-Type: text/html; \
charset=utf-8\r\n" +<br> ++ \
"Content-Length: 0\r\n" +<br> ++ "Foo \
: bar\r\n\r\n"))<br> ++ buf.Flush()<br>
++ conn.Close()<br>
++ }))<br>
++ defer cst.close()<br>
++ res, err := cst.c.Get(cst.ts.URL)<br>
++ if err != nil {<br>
++ t.Fatal(err)<br>
++ }<br>
++ defer res.Body.Close()<br>
++ if v := res.Header.Get("Foo"); v != "" {<br>
++ t.Errorf(`unexpected "Foo" header: %q`, v)<br>
++ }<br>
++ if v := res.Header.Get("Foo "); v != "bar" {<br>
++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, \
"bar")<br> ++ }<br>
++}<br>
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go<br>
+index 2c4f25d5ae..1a5e364cf7 100644<br>
+--- a/src/net/textproto/reader.go<br>
++++ b/src/net/textproto/reader.go<br>
+@@ -493,18 +493,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {<br>
+ return m, err<br>
+ }<br>
+ <br>
+- // Key ends at first colon; should not have trailing \
spaces<br> +- // but they appear in the wild, violating specs, so \
we remove<br> +- // them if present.<br>
++ // Key ends at first colon.<br>
+ i := bytes.IndexByte(kv, ':')<br>
+ if i < 0 {<br>
+ return m, ProtocolError("malformed MIME \
header line: " + string(kv))<br> + }<br>
+- endKey := i<br>
+- for endKey > 0 && kv[endKey-1] == ' ' {<br>
+- endKey--<br>
+- }<br>
+- key := canonicalMIMEHeaderKey(kv[:endKey])<br>
++ key := canonicalMIMEHeaderKey(kv[:i])<br>
+ <br>
+ // As per RFC 7230 field-name is a token, tokens consist of \
one or more chars.<br> + // We could return a ProtocolError \
here, but better to be liberal in what we<br> +diff --git \
a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go<br> +index \
f85fbdc36d..b92fdcd3c7 100644<br> +--- a/src/net/textproto/reader_test.go<br>
++++ b/src/net/textproto/reader_test.go<br>
+@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) {<br>
+ }<br>
+ }<br>
+ <br>
+-// Test that we read slightly-bogus MIME headers seen in the wild,<br>
+-// with spaces before colons, and spaces in keys.<br>
++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers<br>
++// with spaces before colons, and accept spaces in keys.<br>
+ func TestReadMIMEHeaderNonCompliant(t *testing.T) {<br>
+- // Invalid HTTP response header as sent by an Axis security<br>
+- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.)<br>
++ // These invalid headers will be rejected by net/http according to RFC \
7230.<br> + r := reader("Foo: bar\r\n" +<br>
+ "Content-Language: en\r\n" +<br>
+ "SID : 0\r\n" +<br>
+@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {<br>
+ want := MIMEHeader{<br>
+ "Foo": {"bar"},<br>
+ "Content-Language": {"en"},<br>
+- "Sid": {"0"},<br>
+- "Audio Mode": {"None"},<br>
+- "Privilege": {"127"},<br>
++ "SID ": {"0"},<br>
++ "Audio Mode ": {"None"},<br>
++ "Privilege ": {"127"},<br>
+ }<br>
+ if !reflect.DeepEqual(m, want) || err != nil {<br>
+ t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, \
err, want)<br>
-- <br>
2.7.4<br>
<br>
-- <br>
_______________________________________________<br>
Openembedded-core mailing list<br>
<a href="mailto:Openembedded-core@lists.openembedded.org" \
target="_blank">Openembedded-core@lists.openembedded.org</a><br> <a \
href="http://lists.openembedded.org/mailman/listinfo/openembedded-core" \
rel="noreferrer" target="_blank">http://lists.openembedded.org/mailman/listinfo/openembedded-core</a><br>
</blockquote></div>
</blockquote></div>
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic