1From 5bc9106458fc07851ac324a4157132a91b1f3479 Mon Sep 17 00:00:00 2001 2From: Damien Neil <dneil@google.com> 3Date: Mon, 22 Aug 2022 16:21:02 -0700 4Subject: [PATCH] [release-branch.go1.18] net/http: update bundled 5 golang.org/x/net/http2 6 7Disable cmd/internal/moddeps test, since this update includes PRIVATE 8track fixes. 9 10Fixes CVE-2022-27664 11Fixes #53977 12For #54658. 13 14Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b 15Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 16Reviewed-by: Roland Shoemaker <bracewell@google.com> 17Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 18Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 19Reviewed-by: Tatiana Bradley <tatiana@golang.org> 20Run-TryBot: Michael Knyszek <mknyszek@google.com> 21TryBot-Result: Gopher Robot <gobot@golang.org> 22Reviewed-by: Carlos Amedee <carlos@golang.org> 23 24Upstream-Status: Backport 25CVE: CVE-2022-27664 26 27Reference to upstream patch: https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479 28Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> 29--- 30 src/cmd/internal/moddeps/moddeps_test.go | 2 ++ 31 src/net/http/h2_bundle.go | 21 +++++++++++++-------- 32 2 files changed, 15 insertions(+), 8 deletions(-) 33 34diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go 35index 56c3b2585c..3306e29431 100644 36--- a/src/cmd/internal/moddeps/moddeps_test.go 37+++ b/src/cmd/internal/moddeps/moddeps_test.go 38@@ -34,6 +34,8 @@ import ( 39 // See issues 36852, 41409, and 43687. 40 // (Also see golang.org/issue/27348.) 41 func TestAllDependencies(t *testing.T) { 42+ t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") 43+ 44 goBin := testenv.GoToolPath(t) 45 46 // Ensure that all packages imported within GOROOT 47diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go 48index bb82f24585..1e78f6cdb9 100644 49--- a/src/net/http/h2_bundle.go 50+++ b/src/net/http/h2_bundle.go 51@@ -3384,10 +3384,11 @@ func (s http2SettingID) String() string { 52 // name (key). See httpguts.ValidHeaderName for the base rules. 53 // 54 // Further, http2 says: 55-// "Just as in HTTP/1.x, header field names are strings of ASCII 56-// characters that are compared in a case-insensitive 57-// fashion. However, header field names MUST be converted to 58-// lowercase prior to their encoding in HTTP/2. " 59+// 60+// "Just as in HTTP/1.x, header field names are strings of ASCII 61+// characters that are compared in a case-insensitive 62+// fashion. However, header field names MUST be converted to 63+// lowercase prior to their encoding in HTTP/2. " 64 func http2validWireHeaderFieldName(v string) bool { 65 if len(v) == 0 { 66 return false 67@@ -3578,8 +3579,8 @@ func (s *http2sorter) SortStrings(ss []string) { 68 // validPseudoPath reports whether v is a valid :path pseudo-header 69 // value. It must be either: 70 // 71-// *) a non-empty string starting with '/' 72-// *) the string '*', for OPTIONS requests. 73+// *) a non-empty string starting with '/' 74+// *) the string '*', for OPTIONS requests. 75 // 76 // For now this is only used a quick check for deciding when to clean 77 // up Opaque URLs before sending requests from the Transport. 78@@ -5053,6 +5054,9 @@ func (sc *http2serverConn) startGracefulShutdownInternal() { 79 func (sc *http2serverConn) goAway(code http2ErrCode) { 80 sc.serveG.check() 81 if sc.inGoAway { 82+ if sc.goAwayCode == http2ErrCodeNo { 83+ sc.goAwayCode = code 84+ } 85 return 86 } 87 sc.inGoAway = true 88@@ -6265,8 +6269,9 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) { 89 // prior to the headers being written. If the set of trailers is fixed 90 // or known before the header is written, the normal Go trailers mechanism 91 // is preferred: 92-// https://golang.org/pkg/net/http/#ResponseWriter 93-// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers 94+// 95+// https://golang.org/pkg/net/http/#ResponseWriter 96+// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers 97 const http2TrailerPrefix = "Trailer:" 98 99 // promoteUndeclaredTrailers permits http.Handlers to set trailers 100-- 1012.36.1 102 103