Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update to go1.20.6 #43

Merged
merged 4 commits into from
Jul 18, 2023
Merged

chore: update to go1.20.6 #43

merged 4 commits into from
Jul 18, 2023

Conversation

bassosimone
Copy link
Contributor

Part of ooni/probe#2503

bassosimone and others added 4 commits June 8, 2023 17:57
@bassosimone
chore: prepare for merging go1.20.5
bebf83b
@neild @joedian
[release-branch.go1.20] net/http: validate Host header before sending
e5b8f0b 
Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.

Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.

For #60374
Fixes #61076
For CVE-2023-29406

Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/507357
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
@bassosimone
chore: prepare for merging go1.20.6
bde8728 
See ooni/probe#2503
@bassosimone
Merge branch 'go1.20.6' into merged-main
a2e27a9 
Conflicts:
	http_test.go
	request.go
@bassosimone bassosimone merged commit da0547f into main Jul 18, 2023
@bassosimone bassosimone deleted the merged-main branch July 18, 2023 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bassosimone @neild