Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll [1.19 backport] #56676

Closed
gopherbot opened this issue Nov 9, 2022 · 3 comments
Closed

x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll [1.19 backport] #56676

gopherbot opened this issue Nov 9, 2022 · 3 comments
Labels
FrozenDueToAge
Milestone
Go1.19.4

Comments

@gopherbot
Copy link

@neild requested issue #56352 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues, this is a potential request smuggling vector
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Nov 9, 2022
@gopherbot gopherbot mentioned this issue Nov 9, 2022
Closed
@gopherbot gopherbot modified the milestones: Unreleased, Go1.19.4 Nov 9, 2022
@toothrot
Copy link
Contributor

@neild Can you provide a little more detail in the justification on the backport? Is this a significant regression or security issue?

@neild neild added the Security label Nov 16, 2022
@neild
Copy link
Contributor

neild commented Nov 16, 2022

@toothrot This is a (minor) security issue.

@cherrymui cherrymui added the CherryPickApproved Used during the release process for point releases label Nov 23, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Nov 23, 2022
@neild
Copy link
Contributor

neild commented Nov 30, 2022

Looking at this now, I lost track of where the fix was applied: The fix is in the golang.org/x/net/http2/h2c package, which is not vendored. No backport necessary.

@dmitshur dmitshur removed Security CherryPickApproved Used during the release process for point releases labels Dec 7, 2022
@dmitshur dmitshur closed this as not planned Won't fix, can't repro, duplicate, stale Dec 7, 2022
@golang golang locked and limited conversation to collaborators Dec 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.19.4
Development

No branches or pull requests
5 participants
@toothrot @neild @dmitshur @gopherbot @cherrymui