The Wire · Showcase
GO PATCHES HTTP/2 BYPASS IN REVERSEPROXY, COMPILER GAINS FUSION MATH
By RepoJournal · Filed · About Go
ReverseProxy was forwarding h2c upgrade headers that let clients bypass your handlers entirely, and it's getting fixed today.
The net/http/httputil package had a surprising security gap: it would forward Upgrade: h2c headers from clients to backends, allowing HTTP/1 connections to switch to unencrypted HTTP/2 and slip past the proxy's middleware [1]. That's getting rejected outright now. On the compiler front, Go is shipping instruction-level parallelism improvements to md5 [2] and rewriting x-y*z arithmetic to fused multiply-subtract for GOAMD64=v3 [3], both targeting the performance bottlenecks that were waiting on optimizer changes. Meanwhile, the toolchain is getting smarter about error reporting: binary-only packages will now fail at load time instead of mysteriously at build time [4], and gopls is adding Move Declaration as a code action for refactoring [5]. The crypto/ssh package is also fixing a subtle audit gap where RSA signature verification could report the wrong algorithm to callbacks [6]. Across the ecosystem, you're getting better debugging visibility in gopls with package-level symbol inspection [7], faster type analysis with RTA refactoring [8], and stricter inlay hints that recognize common error-ignore patterns [9].
Action items
- → Review and test the h2c header fix [ref:1] if you run ReverseProxy in production golang/go [immediate]
- → Update gopls for Move Declaration and inlay hint improvements when available golang/tools [plan]
- → Monitor crypto/ssh signature format handling in authentication callbacks golang/crypto [monitor]
References
- [1] net/http/httputil: don't forward Upgrade: h2c headers golang/go
- [2] crypto/md5: improve instruction-level parallelism golang/go
- [3] cmd/compile: rewrite x-y*z to fused multiply subtract for GOAMD64=v3 golang/go
- [4] cmd/go: identify error for binary-only packages when loading golang/go
- [5] gopls/internal/golang: add Move Declaration skeleton golang/tools
- [6] ssh: report verified signature format to callback golang/crypto
- [7] gopls/internal/debug: show Package.Scope symbols golang/tools
- [8] go/callgraph/rta: use typesinternal.ForEachElement golang/tools
- [9] gopls/internal/golang: InlayHint: permit "ignore error" alternatives golang/tools