dgit.raspbian.org Git - golang-1.7.git/commit

CVE-2019-9741

Origin: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca
Origin: https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-12

From 829c5df58694b3345cb5ea41206783c8ccf5c3ca Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Wed, 23 Jan 2019 19:09:07 +0000
Subject: [PATCH] net/url, net/http: reject control characters in URLs

This is a more conservative version of the reverted CL 99135 (which
was reverted in CL 137716)

The net/url part rejects URLs with ASCII CTLs from being parsed and
the net/http part rejects writing them if a bogus url.URL is
constructed otherwise.

Updates #27302
Updates #22907

Change-Id: I09a2212eb74c63db575223277aec363c55421ed8
Reviewed-on: https://go-review.googlesource.com/c/159157
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Gbp-Pq: Name CVE-2019-9741.patch

author	Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
	Fri, 21 Jan 2022 18:45:18 +0000 (18:45 +0000)
committer	Sylvain Beucler <beuc@debian.org>
	Fri, 21 Jan 2022 18:45:18 +0000 (18:45 +0000)
commit	98bb665e568f755692d7dd8f540721b302dce8ec
tree	45b9b6d169caa5e5ba6c63c4d679d7752908ba81	tree \| snapshot
parent	72ab2bbb564de36628e062286e38059b5af30943	commit \| diff

src/net/http/fs_test.go		diff \| blob \| history
src/net/http/http.go		diff \| blob \| history
src/net/http/request.go		diff \| blob \| history
src/net/http/requestwrite_test.go		diff \| blob \| history
src/net/url/url.go		diff \| blob \| history
src/net/url/url_test.go		diff \| blob \| history