diff options
| author | Artur M. Wolff <artur.m.wolff@gmail.com> | 2021-03-21 01:18:21 +0100 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2021-03-23 17:46:42 +0000 |
| commit | 05250429ae0e43041c9976a8451426d3ad907e5a (patch) | |
| tree | c5764200cc8b1838fba7bdb84ecf3aff3be15761 /src/net/http/request.go | |
| parent | 9b78c68a15eb2cd8075ceeaaaca9c1e63c3a894c (diff) | |
| download | go-05250429ae0e43041c9976a8451426d3ad907e5a.tar.gz go-05250429ae0e43041c9976a8451426d3ad907e5a.zip | |
net/http: treat MaxBytesReader's negative limits as equivalent to zero limit
Current MaxBytesReader behaviour differs from its documentation. It's
not similar enough to io.LimitReader. It panics when limit (n) < -1 and
returns [-1, <nil>] when limit (n) = -1. To fix that, we treat all
negative limits as equivalent to 0.
It would be possible to make MaxBytesReader analogically identical in
behaviour to io.LimitReader, but that would require to stop
maxBytesReader's Read from reading past the limit. Read always reads one
more byte (if possible) for non-negative limits and returns a non-EOF
error. This behaviour will now apply to all limits.
Fixes #45101
Change-Id: I25d1877dbff1eb4b195c8741fe5e4a025d01ebc0
Reviewed-on: https://go-review.googlesource.com/c/go/+/303171
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Trust: Damien Neil <dneil@google.com>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Diffstat (limited to 'src/net/http/request.go')
| -rw-r--r-- | src/net/http/request.go | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go index aca55b1ca7..ff21f19942 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -1124,6 +1124,9 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro // MaxBytesReader prevents clients from accidentally or maliciously // sending a large request and wasting server resources. func MaxBytesReader(w ResponseWriter, r io.ReadCloser, n int64) io.ReadCloser { + if n < 0 { // Treat negative limits as equivalent to 0. + n = 0 + } return &maxBytesReader{w: w, r: r, n: n} } |