[Pkg-golang-commits] [golang] 02/05: Imported Upstream version 1.6.3
Michael Hudson-Doyle
mwhudson-guest at moszumanska.debian.org
Tue Jul 19 04:24:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
mwhudson-guest pushed a commit to branch golang-1.6
in repository golang.
commit 341ee61cb874858a72d0b3af196e72ac3e17cb7c
Author: Michael Hudson-Doyle <michael.hudson at canonical.com>
Date: Tue Jul 19 14:58:47 2016 +1200
Imported Upstream version 1.6.3
---
VERSION | 2 +-
doc/devel/release.html | 8 ++++++++
src/net/http/cgi/host.go | 4 ++++
src/net/http/cgi/host_test.go | 37 ++++++++++++++++++++++++++++++++++---
src/net/http/transport.go | 3 +++
src/net/http/transport_test.go | 14 +++++++++++++-
src/runtime/sys_darwin_386.s | 5 +++++
src/runtime/sys_darwin_amd64.s | 7 ++++++-
8 files changed, 74 insertions(+), 6 deletions(-)
diff --git a/VERSION b/VERSION
index 17df20d..278d291 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.6.2
\ No newline at end of file
+go1.6.3
\ No newline at end of file
diff --git a/doc/devel/release.html b/doc/devel/release.html
index a1a615f..4dce1b4 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -53,6 +53,14 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.6.2">Go
1.6.2 milestone</a> on our issue tracker for details.
</p>
+<p>
+go1.6.3 (released 2016/07/17) includes security fixes to the
+<code>net/http/cgi</code> package and <code>net/http</code> package when used in
+a CGI environment. This release also adds support for macOS Sierra.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.6.3">Go
+1.6.3 milestone</a> on our issue tracker for details.
+</p>
+
<h2 id="go1.5">go1.5 (released 2015/08/19)</h2>
<p>
diff --git a/src/net/http/cgi/host.go b/src/net/http/cgi/host.go
index 9b4d875..3f1600b 100644
--- a/src/net/http/cgi/host.go
+++ b/src/net/http/cgi/host.go
@@ -145,6 +145,10 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
for k, v := range req.Header {
k = strings.Map(upperCaseAndUnderscore, k)
+ if k == "PROXY" {
+ // See Issue 16405
+ continue
+ }
joinStr := ", "
if k == "COOKIE" {
joinStr = "; "
diff --git a/src/net/http/cgi/host_test.go b/src/net/http/cgi/host_test.go
index 3327764..2783fe1 100644
--- a/src/net/http/cgi/host_test.go
+++ b/src/net/http/cgi/host_test.go
@@ -34,15 +34,18 @@ func newRequest(httpreq string) *http.Request {
return req
}
-func runCgiTest(t *testing.T, h *Handler, httpreq string, expectedMap map[string]string) *httptest.ResponseRecorder {
+func runCgiTest(t *testing.T, h *Handler,
+ httpreq string,
+ expectedMap map[string]string, checks ...func(reqInfo map[string]string)) *httptest.ResponseRecorder {
rw := httptest.NewRecorder()
req := newRequest(httpreq)
h.ServeHTTP(rw, req)
- runResponseChecks(t, rw, expectedMap)
+ runResponseChecks(t, rw, expectedMap, checks...)
return rw
}
-func runResponseChecks(t *testing.T, rw *httptest.ResponseRecorder, expectedMap map[string]string) {
+func runResponseChecks(t *testing.T, rw *httptest.ResponseRecorder,
+ expectedMap map[string]string, checks ...func(reqInfo map[string]string)) {
// Make a map to hold the test map that the CGI returns.
m := make(map[string]string)
m["_body"] = rw.Body.String()
@@ -80,6 +83,9 @@ readlines:
t.Errorf("for key %q got %q; expected %q", key, got, expected)
}
}
+ for _, check := range checks {
+ check(m)
+ }
}
var cgiTested, cgiWorks bool
@@ -235,6 +241,31 @@ func TestDupHeaders(t *testing.T) {
expectedMap)
}
+// Issue 16405: CGI+http.Transport differing uses of HTTP_PROXY.
+// Verify we don't set the HTTP_PROXY environment variable.
+// Hope nobody was depending on it. It's not a known header, though.
+func TestDropProxyHeader(t *testing.T) {
+ check(t)
+ h := &Handler{
+ Path: "testdata/test.cgi",
+ }
+ expectedMap := map[string]string{
+ "env-REQUEST_URI": "/myscript/bar?a=b",
+ "env-SCRIPT_FILENAME": "testdata/test.cgi",
+ "env-HTTP_X_FOO": "a",
+ }
+ runCgiTest(t, h, "GET /myscript/bar?a=b HTTP/1.0\n"+
+ "X-Foo: a\n"+
+ "Proxy: should_be_stripped\n"+
+ "Host: example.com\n\n",
+ expectedMap,
+ func(reqInfo map[string]string) {
+ if v, ok := reqInfo["env-HTTP_PROXY"]; ok {
+ t.Errorf("HTTP_PROXY = %q; should be absent", v)
+ }
+ })
+}
+
func TestPathInfoNoRoot(t *testing.T) {
check(t)
h := &Handler{
diff --git a/src/net/http/transport.go b/src/net/http/transport.go
index 1e3ea11..794b786 100644
--- a/src/net/http/transport.go
+++ b/src/net/http/transport.go
@@ -216,6 +216,9 @@ func ProxyFromEnvironment(req *Request) (*url.URL, error) {
}
if proxy == "" {
proxy = httpProxyEnv.Get()
+ if proxy != "" && os.Getenv("REQUEST_METHOD") != "" {
+ return nil, errors.New("net/http: refusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxy")
+ }
}
if proxy == "" {
return nil, nil
diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index d9da078..381432e 100644
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -1985,7 +1985,8 @@ type proxyFromEnvTest struct {
env string // HTTP_PROXY
httpsenv string // HTTPS_PROXY
- noenv string // NO_RPXY
+ noenv string // NO_PROXY
+ reqmeth string // REQUEST_METHOD
want string
wanterr error
@@ -2009,6 +2010,10 @@ func (t proxyFromEnvTest) String() string {
space()
fmt.Fprintf(&buf, "no_proxy=%q", t.noenv)
}
+ if t.reqmeth != "" {
+ space()
+ fmt.Fprintf(&buf, "request_method=%q", t.reqmeth)
+ }
req := "http://example.com"
if t.req != "" {
req = t.req
@@ -2032,6 +2037,12 @@ var proxyFromEnvTests = []proxyFromEnvTest{
{req: "https://secure.tld/", env: "http.proxy.tld", httpsenv: "secure.proxy.tld", want: "http://secure.proxy.tld"},
{req: "https://secure.tld/", env: "http.proxy.tld", httpsenv: "https://secure.proxy.tld", want: "https://secure.proxy.tld"},
+ // Issue 16405: don't use HTTP_PROXY in a CGI environment,
+ // where HTTP_PROXY can be attacker-controlled.
+ {env: "http://10.1.2.3:8080", reqmeth: "POST",
+ want: "<nil>",
+ wanterr: errors.New("net/http: refusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxy")},
+
{want: "<nil>"},
{noenv: "example.com", req: "http://example.com/", env: "proxy", want: "<nil>"},
@@ -2047,6 +2058,7 @@ func TestProxyFromEnvironment(t *testing.T) {
os.Setenv("HTTP_PROXY", tt.env)
os.Setenv("HTTPS_PROXY", tt.httpsenv)
os.Setenv("NO_PROXY", tt.noenv)
+ os.Setenv("REQUEST_METHOD", tt.reqmeth)
ResetCachedEnvironment()
reqURL := tt.req
if reqURL == "" {
diff --git a/src/runtime/sys_darwin_386.s b/src/runtime/sys_darwin_386.s
index ad3dca4..430e86d 100644
--- a/src/runtime/sys_darwin_386.s
+++ b/src/runtime/sys_darwin_386.s
@@ -201,6 +201,11 @@ systime:
MOVL $0, 8(SP) // time zone pointer
MOVL $116, AX
INT $0x80
+ CMPL AX, $0
+ JNE inreg
+ MOVL 12(SP), AX
+ MOVL 16(SP), DX
+inreg:
// sec is in AX, usec in DX
// convert to DX:AX nsec
MOVL DX, BX
diff --git a/src/runtime/sys_darwin_amd64.s b/src/runtime/sys_darwin_amd64.s
index 7b9cf6a..e09b906 100644
--- a/src/runtime/sys_darwin_amd64.s
+++ b/src/runtime/sys_darwin_amd64.s
@@ -155,10 +155,15 @@ timeloop:
systime:
// Fall back to system call (usually first call in this thread).
- MOVQ SP, DI // must be non-nil, unused
+ MOVQ SP, DI
MOVQ $0, SI
MOVL $(0x2000000+116), AX
SYSCALL
+ CMPQ AX, $0
+ JNE inreg
+ MOVQ 0(SP), AX
+ MOVL 8(SP), DX
+inreg:
// sec is in AX, usec in DX
// return nsec in AX
IMULQ $1000000000, AX
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-golang/golang.git
More information about the pkg-golang-commits
mailing list