Update everything to Go 1.19 and fix potential Slowloris Attacks

.golangci.yml

@@ -32,10 +32,10 @@ linters:
     - gosec
 linters-settings:
   gosimple:
-    go: "1.18"
+    go: "1.19"
     checks: ["all"]
   gostatichcheck:
-    go: "1.18"
+    go: "1.19"
     checks: ["all"]
   dupl:
     threshold: 125

docs/build.md

@@ -30,7 +30,7 @@ Requirements:
 
 - Linux
 - git
-- go >= 1.17
+- go >= 1.19
 - libsqlite3 with FTS5 enabled >= 3.31 (the newer the better)
 
 Build command:

go.mod

@@ -1,6 +1,6 @@
 module go.goblog.app/app
 
-go 1.18
+go 1.19
 
 require (
 	git.jlel.se/jlelse/go-geouri v0.0.0-20210525190615-a9c1d50f42d6
@@ -58,7 +58,7 @@ require (
 	// master
 	github.com/yuin/goldmark-emoji v1.0.2-0.20210607094911-0487583eca38
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
-	golang.org/x/net v0.0.0-20220728211354-c7608f3a8462
+	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
 	golang.org/x/text v0.3.7
 	gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -617,8 +617,8 @@ golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220728211354-c7608f3a8462 h1:UreQrH7DbFXSi9ZFox6FNT3WBooWmdANpU+IfkT1T4I=
-golang.org/x/net v0.0.0-20220728211354-c7608f3a8462/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 h1:N9Vc/rorQUDes6B9CNdIxAn5jODGj2wzfrei2x4wNj4=
+golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

http.go

@@ -57,6 +57,7 @@ func (a *goBlog) startServer() (err error) {
 	// Start server
 	s := &http.Server{
 		Handler:           finalHandler,
+		ReadHeaderTimeout: 1 * time.Minute,
 		ReadTimeout:       5 * time.Minute,
 		WriteTimeout:      5 * time.Minute,
 	}
@@ -71,6 +72,7 @@ func (a *goBlog) startServer() (err error) {
 			httpServer := &http.Server{
 				Addr:              ":80",
 				Handler:           h,
+				ReadHeaderTimeout: 1 * time.Minute,
 				ReadTimeout:       5 * time.Minute,
 				WriteTimeout:      5 * time.Minute,
 			}

main.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"runtime"
 	"runtime/pprof"
+	"time"
 
 	"github.com/pquerna/otp/totp"
 )
@@ -111,6 +112,7 @@ func main() {
 			pprofServer := &http.Server{
 				Addr:              defaultIfEmpty(pprofCfg.Address, "localhost:0"),
 				Handler:           pprofHandler,
+				ReadHeaderTimeout: 1 * time.Minute,
 			}
 			listener, err := net.Listen("tcp", pprofServer.Addr)
 			if err != nil {

tor.go

@@ -67,6 +67,7 @@ func (a *goBlog) startOnionService(h http.Handler) error {
 	// Serve handler
 	s := &http.Server{
 		Handler:           middleware.WithValue(torUsedKey, true)(h),
+		ReadHeaderTimeout: 1 * time.Minute,
 		ReadTimeout:       5 * time.Minute,
 		WriteTimeout:      5 * time.Minute,
 	}

updateDeps.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 
 GOFLAGS="-tags=linux,libsqlite3,sqlite_fts5" go get -d $(go list -f '{{if not (or .Main .Indirect)}}{{.Path}}{{end}}' -m all)
-GOFLAGS="-tags=linux,libsqlite3,sqlite_fts5" go mod tidy -compat 1.18
+GOFLAGS="-tags=linux,libsqlite3,sqlite_fts5" go mod tidy -compat 1.19