internal/http3: prevent Server handler from writing longer body than …

…declared

Like in HTTP/1 and HTTP/2, this CL changes the Server handler so that
Write will return an error and automatically trim the content being
written, when attempting to write a body content that is longer than
what has been declared in the "Content-Length" header.

For golang/go#70914

Change-Id: I638efb8ec96f926f86c389f3cac79f1b38a5b36b
Reviewed-on: https://go-review.googlesource.com/c/net/+/748681
Reviewed-by: Nicholas Husin <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I5e9ca4c38dd59f5c3332ee2e8bac98c338620b69
Reviewed-on: https://go-review.googlesource.com/c/net/+/743400
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I335bdc9150b51cb7d8ebd29721580dcdd5cb49ba
Reviewed-on: https://go-review.googlesource.com/c/net/+/735680
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I9679bad7bfc127003a80fc41dab3cf34aaff78be
Reviewed-on: https://go-review.googlesource.com/c/net/+/728182
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: David Chase <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I166e970128861674939fc46eaad37f74d19f1745
Reviewed-on: https://go-review.googlesource.com/c/net/+/719680
Reviewed-by: David Chase <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I2715ca45bf0dbe31bf912ab365632cb80be544ca
Reviewed-on: https://go-review.googlesource.com/c/net/+/710079
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: David Chase <[email protected]>

html: impose open element stack size limit

The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

http2: fix race condition when disabling goroutine debugging for one …

…test

Fixes golang/go#66519

Change-Id: I7aecf20db44caaaf49754d62db193b8c42f3c63a
Reviewed-on: https://go-review.googlesource.com/c/net/+/701836
Auto-Submit: Damien Neil <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: Id3afb41fc96c3eaa63241116bb332d4779e6b5f6
Reviewed-on: https://go-review.googlesource.com/c/net/+/694175
Reviewed-by: David Chase <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: Icb45ef272d4eb5920b8e531ba311b3efb42af72c
Reviewed-on: https://go-review.googlesource.com/c/net/+/687275
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: David Chase <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>