forked from TrueCloudLab/distribution
345be95498
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed in stdlib in go1.19.4 and go1.18.9; > net/http: limit canonical header cache by bytes, not entries > > An attacker can cause excessive memory growth in a Go server accepting > HTTP/2 requests. > > HTTP/2 server connections contain a cache of HTTP header keys sent by > the client. While the total number of entries in this cache is capped, > an attacker sending very large keys can cause the server to allocate > approximately 64 MiB per open connection. > > This issue is also fixed in golang.org/x/net/http2 v0.4.0, > for users manually configuring HTTP/2. full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0 other dependency updates (due to (circular) dependencies): - golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/3c1f35247d10...v0.3.0 - golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.3.7...v0.5.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
105 lines
2.2 KiB
Go
105 lines
2.2 KiB
Go
// Copyright 2014 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package http2
|
|
|
|
import (
|
|
"net/http"
|
|
"sync"
|
|
)
|
|
|
|
var (
|
|
commonBuildOnce sync.Once
|
|
commonLowerHeader map[string]string // Go-Canonical-Case -> lower-case
|
|
commonCanonHeader map[string]string // lower-case -> Go-Canonical-Case
|
|
)
|
|
|
|
func buildCommonHeaderMapsOnce() {
|
|
commonBuildOnce.Do(buildCommonHeaderMaps)
|
|
}
|
|
|
|
func buildCommonHeaderMaps() {
|
|
common := []string{
|
|
"accept",
|
|
"accept-charset",
|
|
"accept-encoding",
|
|
"accept-language",
|
|
"accept-ranges",
|
|
"age",
|
|
"access-control-allow-credentials",
|
|
"access-control-allow-headers",
|
|
"access-control-allow-methods",
|
|
"access-control-allow-origin",
|
|
"access-control-expose-headers",
|
|
"access-control-max-age",
|
|
"access-control-request-headers",
|
|
"access-control-request-method",
|
|
"allow",
|
|
"authorization",
|
|
"cache-control",
|
|
"content-disposition",
|
|
"content-encoding",
|
|
"content-language",
|
|
"content-length",
|
|
"content-location",
|
|
"content-range",
|
|
"content-type",
|
|
"cookie",
|
|
"date",
|
|
"etag",
|
|
"expect",
|
|
"expires",
|
|
"from",
|
|
"host",
|
|
"if-match",
|
|
"if-modified-since",
|
|
"if-none-match",
|
|
"if-unmodified-since",
|
|
"last-modified",
|
|
"link",
|
|
"location",
|
|
"max-forwards",
|
|
"origin",
|
|
"proxy-authenticate",
|
|
"proxy-authorization",
|
|
"range",
|
|
"referer",
|
|
"refresh",
|
|
"retry-after",
|
|
"server",
|
|
"set-cookie",
|
|
"strict-transport-security",
|
|
"trailer",
|
|
"transfer-encoding",
|
|
"user-agent",
|
|
"vary",
|
|
"via",
|
|
"www-authenticate",
|
|
"x-forwarded-for",
|
|
"x-forwarded-proto",
|
|
}
|
|
commonLowerHeader = make(map[string]string, len(common))
|
|
commonCanonHeader = make(map[string]string, len(common))
|
|
for _, v := range common {
|
|
chk := http.CanonicalHeaderKey(v)
|
|
commonLowerHeader[chk] = v
|
|
commonCanonHeader[v] = chk
|
|
}
|
|
}
|
|
|
|
func lowerHeader(v string) (lower string, ascii bool) {
|
|
buildCommonHeaderMapsOnce()
|
|
if s, ok := commonLowerHeader[v]; ok {
|
|
return s, true
|
|
}
|
|
return asciiToLower(v)
|
|
}
|
|
|
|
func canonicalHeader(v string) string {
|
|
buildCommonHeaderMapsOnce()
|
|
if s, ok := commonCanonHeader[v]; ok {
|
|
return s
|
|
}
|
|
return http.CanonicalHeaderKey(v)
|
|
}
|