affected/package:http HTTP client vulnerable to Slow Loris with default configuration.

[thedarkb]

What version of Go are you using (go version)?

$ go version
go version go1.16.2 linux/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/treecycling/.cache/go-build"
GOENV="/home/treecycling/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/treecycling/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/treecycling/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.16"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.16/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.2"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/treecycling/productionBuild/TreeSV2.0/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2594166505=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I created a web application using the default HTTP client and it failed to time out dead connections and it ran out of file handles after a month of operation.

What did you expect to see?

Either the connections timing out or the application panicking and closing when it ran out of handles. Preferably the connections timing out as long-running connections are normally the exception rather than the rule.

What did you see instead?

The application stayed running but began responding to requests inconsistently as the file handles were exhausted leading to silent data loss from webhook failures.

[seankhliao]

Duplicate of #24138