currently only http/https/socks5 scheme are allowed. However, any scheme
could be possible if user provides their own implementation.
Specifically, the widely used "socks5h://localhost" is parsed as
Scheme="http" Host="socks5h:", which does not make sense because host
name cannot contain ":".
This patch allows any scheme to appear in the proxy config. And only
fallback to http scheme if parsed scheme or host is empty.
url.Parse() result of fallback cases:
localhost => Scheme="localhost"
localhost:1234 => Scheme="localhost" Opaque="1234"
example.com => Path="example.com"
Updates golang/go#24135
Change-Id: Ia2c041e37e2ac61be16220fd41d6cb6fabeeca3d
Reviewed-on: https://go-review.googlesource.com/c/net/+/525257
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).
Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.
Fixes CVE-2021-31525
Fixesgolang/go#45710
Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
NO_PROXY includes support for CIDR, and notations can also
match exactly on port information if provided.
When specifying a port with IPv6, the address must be enclosed with
square brackets, [IPv6 address]:port.
Updates golang/go#16704 (fixes after vendor into std)
Change-Id: Ideb61a9ec60a6b1908f5a2c885cd6d9dd10c37cf
Reviewed-on: https://go-review.googlesource.com/115255
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
When a Content-Type that triggers content sniffing in old (but still in
significant use) browsers is sent, add the
X-Content-Type-Options: nosniff header, unless explicitly disabled.
Expose httpguts.SniffedContentType for use in the HTTP 1 implementation.
Will be tested by net/http.TestNoSniffHeader_h2.
Updates golang/go#24513
Change-Id: Id1ffea867a496393cb52c5a9f45af97d4b2fcf12
Reviewed-on: https://go-review.googlesource.com/112015
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
httplex was the original package name for shared code between net/http
and x/net/http2, but its name was too specific, and http/httpguts was
added later for other shared code.
We discussed merging httplex into httpguts at the time, but it didn't
happen earlier. This finishes the move.
Updates golang/go#23908
Change-Id: Ic7d6f39e584ca579d34b5ef5ec6a0c002a38a83c
Reviewed-on: https://go-review.googlesource.com/111875
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Introduce a common package x/net/http/httpguts which can be vendored by
net/http to share detail implementations of the HTTP specification with
x/net/http2.
Updates golang/go#23908
Change-Id: Id5a2d51e05135436cf406c4c4d1b13fca7f84a32
Reviewed-on: https://go-review.googlesource.com/104042
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
