You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hot off the trail of http://golang.org/issue/11930, I think I'm getting a hang of this. I've found yet another class of read error which escapes the checks just put in place: broken HTTP request trailers. Properly crafted requests with broken trailers could pass through one level of protective proxy to unwanted requests to a Go backend.
As discussed in https://go-review.googlesource.com/#/c/12909, some race conditions and other problems still exist that are all worth fixing with a small refactoring, but that would be overkill for the looming 1.5 release. (I've got a working draft to share soon, though)
Using the plumbing just introduced to fix #11930, a surgical fix to the broken trailer problem is fairly trivial. I'll have a CL up momentarily.
The text was updated successfully, but these errors were encountered:
Hot off the trail of http://golang.org/issue/11930, I think I'm getting a hang of this. I've found yet another class of read error which escapes the checks just put in place: broken HTTP request trailers. Properly crafted requests with broken trailers could pass through one level of protective proxy to unwanted requests to a Go backend.
As discussed in https://go-review.googlesource.com/#/c/12909, some race conditions and other problems still exist that are all worth fixing with a small refactoring, but that would be overkill for the looming 1.5 release. (I've got a working draft to share soon, though)
Using the plumbing just introduced to fix #11930, a surgical fix to the broken trailer problem is fairly trivial. I'll have a CL up momentarily.
The text was updated successfully, but these errors were encountered: