dgit.raspbian.org Git - golang-1.7.git/commit

CVE-2019-9741

Origin: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca
Origin: https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-12

From 829c5df58694b3345cb5ea41206783c8ccf5c3ca Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Wed, 23 Jan 2019 19:09:07 +0000
Subject: [PATCH] net/url, net/http: reject control characters in URLs

This is a more conservative version of the reverted CL 99135 (which
was reverted in CL 137716)

The net/url part rejects URLs with ASCII CTLs from being parsed and
the net/http part rejects writing them if a bogus url.URL is
constructed otherwise.

Updates #27302
Updates #22907

Change-Id: I09a2212eb74c63db575223277aec363c55421ed8
Reviewed-on: https://go-review.googlesource.com/c/159157
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Gbp-Pq: Name CVE-2019-9741.patch

author	Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
	Tue, 26 Apr 2022 17:32:45 +0000 (18:32 +0100)
committer	Sylvain Beucler <beuc@debian.org>
	Tue, 26 Apr 2022 17:32:45 +0000 (18:32 +0100)
commit	b5643e2c6a563bb94d5f184b18b470b9df78b418
tree	7640461266afb806f9e7534afb0692f9a9a2a7b6	tree \| snapshot
parent	7d86d6440d530068cb4172b789cd5308e93be149	commit \| diff

src/net/http/fs_test.go		diff \| blob \| history
src/net/http/http.go		diff \| blob \| history
src/net/http/request.go		diff \| blob \| history
src/net/http/requestwrite_test.go		diff \| blob \| history
src/net/url/url.go		diff \| blob \| history
src/net/url/url_test.go		diff \| blob \| history