Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: allows invalid characters in header values #11207

Closed
dvyukov opened this issue Jun 13, 2015 · 7 comments

Comments

Projects
None yet
6 participants
@dvyukov
Copy link
Member

commented Jun 13, 2015

net/http successfully parses invalid characters in http header values.
For examples, in the following program header value is not preserved after Write/Parse. But in general header values must contain only visible character (0x21-0x7f) + space and tab.

package main

import (
    "bufio"
    "bytes"
    "net/http"
    "fmt"
)

func main() {
    data := []byte("GET / HTTP/1.1\nh:0\r0\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    buf := new(bytes.Buffer)
    if err := r.WriteProxy(buf); err != nil {
        panic(err)
    }
    fmt.Printf("%q\n", buf.Bytes())
    r1, err := http.ReadRequest(bufio.NewReader(buf))
    if err != nil {
        panic(err)
    }
    if r.Header.Get("h") != r1.Header.Get("h") {
        fmt.Printf("h0: %q\n", r.Header.Get("h"))
        fmt.Printf("h1: %q\n", r1.Header.Get("h"))
        panic("header changed")
    }
}
"GET / HTTP/1.1\r\nHost: \r\nUser-Agent: Go 1.1 package http\r\nH: 0 0\r\n\r\n"
h0: "0\r0"
h1: "0 0"

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

@ianlancetaylor ianlancetaylor added this to the Go1.6 milestone Jun 14, 2015

@rsc

This comment has been minimized.

Copy link
Contributor

commented Dec 17, 2015

Didn't I see a CL for this today?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Dec 17, 2015

That was specifically for Host headers. This is all headers. Very similar. I'll do this one today.

@gopherbot

This comment has been minimized.

Copy link

commented Dec 17, 2015

CL https://golang.org/cl/17980 mentions this issue.

@bradfitz bradfitz closed this in c052222 Dec 17, 2015

@andybalholm

This comment has been minimized.

Copy link

commented Jan 8, 2016

I think this is too strict. RFC2616 §4.2 says that a header's field-content can consist of *TEXT, and RFC2616 §2.2 says that TEXT is <any OCTET except CTLs, but including LWS>, so that would mean that bytes greater than 128 are allowed.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jan 8, 2016

@andybalholm, thanks.

@bradfitz bradfitz reopened this Jan 8, 2016

@gopherbot

This comment has been minimized.

Copy link

commented Jan 8, 2016

CL https://golang.org/cl/18374 mentions this issue.

@bradfitz bradfitz closed this in 0421e78 Jan 8, 2016

@gopherbot

This comment has been minimized.

Copy link

commented Jan 8, 2016

CL https://golang.org/cl/18375 mentions this issue.

bradfitz added a commit that referenced this issue Jan 8, 2016

net/http: fix validHeaderValue yet again, excluding the DEL CTL byte
Third time's a charm.

Thanks to Ralph Corderoy for noticing the DEL omission.

Update #11207

Change-Id: I174fd01eaecceae1eb220f2c9136e12d40fbe943
Reviewed-on: https://go-review.googlesource.com/18375
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

@golang golang locked and limited conversation to collaborators Jan 7, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.