|
|
|
|
|
|
by tyho
3723 days ago
|
|
|
Unfortunately lots of Go code on GitHub has significant oversights, this included. I remember reporting a DoS bug in a different Go acme library identical to this one I found in acmetool in less than 60s: https://github.com/hlandau/acme/blob/master/acmeapi/ocsp.go#... In case it is not obvious, anyone in a privileged point on the network can fill resb with enough data that the program panics due to OOM and crashes. ioutil.ReadAll really needs a big warning in the docs because I have seen this pattern far too often. |
|
|