• Brad Fitzpatrick's avatar
    net/http: validate transmitted header fields · 0026cb78
    Brad Fitzpatrick authored
    This makes sure the net/http package never attempts to transmit a
    bogus header field key or value and instead fails fast with an error
    to the user, rather than relying on the server to maybe return an
    error.
    
    It's still possible to use x/net/http2.Transport directly to send
    bogus stuff. This change only stops h1 & h2 usage via the net/http
    package. A future change will update x/net/http2.
    
    This change also moves some code from request.go to lex.go, which in a
    separate future change should be moved so it can be shared with http2
    to reduce code bloat.
    
    Updates #14048
    
    Change-Id: I0a44ae1ab357fbfcbe037aa4b5d50669a87f2856
    Reviewed-on: https://go-review.googlesource.com/21326Reviewed-by: default avatarAndrew Gerrand <adg@golang.org>
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    0026cb78
request.go 32.6 KB