diff options
author | Roberto Clapis <roberto@golang.org> | 2021-04-07 14:36:40 +0200 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2021-05-10 23:42:56 +0000 |
commit | 5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a (patch) | |
tree | 2b936bb8bf6f8957348dcb17e424d9559c737372 /src/net/http/header.go | |
parent | dc50683bf7ebdfde726d710131ba05fe97e10a07 (diff) | |
download | go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.tar.gz go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.zip |
net/http: switch HTTP1 to ASCII equivalents of string functions
The current implementation uses UTF-aware functions
like strings.EqualFold and strings.ToLower.
This could, in some cases, cause http smuggling.
Change-Id: I0e76a993470a1e1b1b472f4b2859ea0a2b22ada0
Reviewed-on: https://go-review.googlesource.com/c/go/+/308009
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Roberto Clapis <roberto@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Diffstat (limited to 'src/net/http/header.go')
-rw-r--r-- | src/net/http/header.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/net/http/header.go b/src/net/http/header.go index b9b53911f3..4c72dcb2c8 100644 --- a/src/net/http/header.go +++ b/src/net/http/header.go @@ -7,6 +7,7 @@ package http import ( "io" "net/http/httptrace" + "net/http/internal/ascii" "net/textproto" "sort" "strings" @@ -251,7 +252,7 @@ func hasToken(v, token string) bool { if endPos := sp + len(token); endPos != len(v) && !isTokenBoundary(v[endPos]) { continue } - if strings.EqualFold(v[sp:sp+len(token)], token) { + if ascii.EqualFold(v[sp:sp+len(token)], token) { return true } } |