net/http: switch HTTP1 to ASCII equivalents of string functions

The current implementation uses UTF-aware functions like strings.EqualFold and strings.ToLower. This could, in some cases, cause http smuggling. Change-Id: I0e76a993470a1e1b1b472f4b2859ea0a2b22ada0 Reviewed-on: https://go-review.googlesource.com/c/go/+/308009 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Trust: Roberto Clapis <roberto@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
author: Roberto Clapis <roberto@golang.org> 2021-04-07 14:36:40 +0200
committer: Filippo Valsorda <filippo@golang.org> 2021-05-10 23:42:56 +0000
commit: 5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a (patch)
tree: 2b936bb8bf6f8957348dcb17e424d9559c737372 /src/net/http/header.go
parent: dc50683bf7ebdfde726d710131ba05fe97e10a07 (diff)
download: go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.tar.gz
go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/net/http/header.go b/src/net/http/header.go
index b9b53911f3..4c72dcb2c8 100644
--- a/src/net/http/header.go
+++ b/src/net/http/header.go
@@ -7,6 +7,7 @@ package http
 import (
 	"io"
 	"net/http/httptrace"
+	"net/http/internal/ascii"
 	"net/textproto"
 	"sort"
 	"strings"
@@ -251,7 +252,7 @@ func hasToken(v, token string) bool {
 		if endPos := sp + len(token); endPos != len(v) && !isTokenBoundary(v[endPos]) {
 			continue
 		}
-		if strings.EqualFold(v[sp:sp+len(token)], token) {
+		if ascii.EqualFold(v[sp:sp+len(token)], token) {
 			return true
 		}
 	}
author	Roberto Clapis <roberto@golang.org>	2021-04-07 14:36:40 +0200
committer	Filippo Valsorda <filippo@golang.org>	2021-05-10 23:42:56 +0000
commit	5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a (patch)
tree	2b936bb8bf6f8957348dcb17e424d9559c737372 /src/net/http/header.go
parent	dc50683bf7ebdfde726d710131ba05fe97e10a07 (diff)
download	go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.tar.gz go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.zip