diff options
author | Roberto Clapis <roberto@golang.org> | 2021-04-07 14:36:40 +0200 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2021-05-10 23:42:56 +0000 |
commit | 5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a (patch) | |
tree | 2b936bb8bf6f8957348dcb17e424d9559c737372 /src/net/http/request.go | |
parent | dc50683bf7ebdfde726d710131ba05fe97e10a07 (diff) | |
download | go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.tar.gz go-5c489514bc5e61ad9b5b07bd7d8ec65d66a0512a.zip |
net/http: switch HTTP1 to ASCII equivalents of string functions
The current implementation uses UTF-aware functions
like strings.EqualFold and strings.ToLower.
This could, in some cases, cause http smuggling.
Change-Id: I0e76a993470a1e1b1b472f4b2859ea0a2b22ada0
Reviewed-on: https://go-review.googlesource.com/c/go/+/308009
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Roberto Clapis <roberto@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Diffstat (limited to 'src/net/http/request.go')
-rw-r--r-- | src/net/http/request.go | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go index 4a07eb1c79..7895417af5 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -19,6 +19,7 @@ import ( "mime/multipart" "net" "net/http/httptrace" + "net/http/internal/ascii" "net/textproto" "net/url" urlpkg "net/url" @@ -723,7 +724,7 @@ func idnaASCII(v string) (string, error) { // version does not. // Note that for correct ASCII IDNs ToASCII will only do considerably more // work, but it will not cause an allocation. - if isASCII(v) { + if ascii.Is(v) { return v, nil } return idna.Lookup.ToASCII(v) @@ -948,7 +949,7 @@ func (r *Request) BasicAuth() (username, password string, ok bool) { func parseBasicAuth(auth string) (username, password string, ok bool) { const prefix = "Basic " // Case insensitive prefix match. See Issue 22736. - if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) { + if len(auth) < len(prefix) || !ascii.EqualFold(auth[:len(prefix)], prefix) { return } c, err := base64.StdEncoding.DecodeString(auth[len(prefix):]) @@ -1456,5 +1457,5 @@ func requestMethodUsuallyLacksBody(method string) bool { // an HTTP/1 connection. func (r *Request) requiresHTTP1() bool { return hasToken(r.Header.Get("Connection"), "upgrade") && - strings.EqualFold(r.Header.Get("Upgrade"), "websocket") + ascii.EqualFold(r.Header.Get("Upgrade"), "websocket") } |