net/http: request body errors don't close a connection

[jeddenlea]

After an HTTP server parses a request's headers, it essentially passes control of the protocol handling to a request body Reader. Generally, this Reader either consumes up to the number bytes specified by Content-Length, or follows a chunked encoded entity.

But, errors encountered at this stage are completely ignored by the server. Broken connections are left in tact, and the server will attempt to read further requests from them.

This is a vector for request smuggling.

[bradfitz]

I don't quite follow.

What type of errors?

Can you give a concrete example?

How can you trick a server into reading a further request? We shouldn't ever be reusing the connection unless the body has been consumed.

[jeddenlea]

This is fixed in https://go-review.googlesource.com/#/c/12865/

[jeddenlea]

A simple example is TestRequestBodyReadErrorClosesConnection in https://go-review.googlesource.com/#/c/12865/1/src/net/http/serve_test.go.

Timeout errors are ignored, too. though. You can smuggle a request basically by doing:

POST / HTTP/1.1
Host: foo
Content-Lenght: 1000

[ pause for the server's request timeout ]
GET /quitquitquit HTTP/1.1
Host: foo

[gopherbot]

CL https://golang.org/cl/12865 mentions this issue.

[bradfitz]

I do think we need to fix this for Go 1.5, now that I've looked at it. Timing sucks because I'm on vacation but I'll review the CL more when I get laptop net access again in a few hours.