[PR #5205] [MERGED] fix: validate CA cert parsing and add missing ReadHeaderTimeout #5169

New issue

Closed

opened 2026-05-05 14:56:02 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:56:02 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5205
Author: @fatedier
Created: 3/6/2026
Status: ✅ Merged
Merged: 3/6/2026
Merged by: @fatedier

Base: dev ← Head: new

📝 Commits (1)

b9afc80 fix: validate CA cert parsing and add missing ReadHeaderTimeout

📊 Changes

3 files changed (+8 additions, -3 deletions)

View changed files

📝 pkg/plugin/client/http2http.go (+2 -1)
📝 pkg/plugin/client/http2https.go (+2 -1)
📝 pkg/transport/tls.go (+4 -1)

📄 Description

Summary

pkg/transport/tls.go: newCertPool ignores AppendCertsFromPEM return value. If the CA file is malformed (DER-encoded, empty, corrupted), the cert pool is empty and TLS verification silently fails with a confusing error later. Now returns a clear error immediately.
pkg/plugin/client/http2http.go: ReadHeaderTimeout was explicitly set to 0 (no timeout), while all other plugins in the same directory use 60s. Fixed to 60s for consistency and slowloris protection.
pkg/plugin/client/http2https.go: Same ReadHeaderTimeout fix.

Context

ReadHeaderTimeout only controls request header read time, not backend processing or response time (confirmed via Go source code). Setting 60s has no impact on long-running requests.
The same AppendCertsFromPEM check already exists correctly in pkg/auth/oidc.go:53.

Test plan

make build passes
make test passes
Codex review: no regressions identified

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5205 **Author:** [@fatedier](https://github.com/fatedier) **Created:** 3/6/2026 **Status:** ✅ Merged **Merged:** 3/6/2026 **Merged by:** [@fatedier](https://github.com/fatedier) **Base:** `dev` ← **Head:** `new` --- ### 📝 Commits (1) - [`b9afc80`](https://github.com/fatedier/frp/commit/b9afc8016697ce8439ec7b97472658223de4036d) fix: validate CA cert parsing and add missing ReadHeaderTimeout ### 📊 Changes **3 files changed** (+8 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `pkg/plugin/client/http2http.go` (+2 -1) 📝 `pkg/plugin/client/http2https.go` (+2 -1) 📝 `pkg/transport/tls.go` (+4 -1) </details> ### 📄 Description ## Summary - **pkg/transport/tls.go**: `newCertPool` ignores `AppendCertsFromPEM` return value. If the CA file is malformed (DER-encoded, empty, corrupted), the cert pool is empty and TLS verification silently fails with a confusing error later. Now returns a clear error immediately. - **pkg/plugin/client/http2http.go**: `ReadHeaderTimeout` was explicitly set to 0 (no timeout), while all other plugins in the same directory use 60s. Fixed to 60s for consistency and slowloris protection. - **pkg/plugin/client/http2https.go**: Same `ReadHeaderTimeout` fix. ## Context - `ReadHeaderTimeout` only controls request header read time, not backend processing or response time (confirmed via Go source code). Setting 60s has no impact on long-running requests. - The same `AppendCertsFromPEM` check already exists correctly in `pkg/auth/oidc.go:53`. ## Test plan - [x] `make build` passes - [x] `make test` passes - [x] Codex review: no regressions identified --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>