net/http: 400 Bad Request not logged

[kennygrant]

Currently at net/http/server.go:1339 c.serve() responds to a bad request (e.g. http://golang.org/%L3 ) by responding with 400 Bad request without a body. This results in a blank browser window when not behind a proxy, which is not helpful for end users, and nothing in logs to indicate the cause. Would it be possible to add a simple body to this request with something like:

io.WriteString(c.rwc, "HTTP/1.1 400 Bad Request\r\n\r\n400 Bad Request")

and/or to insert a line of logging before the response:

c.server.logf("http: 400 Bad Request: %v", err)

so that the server logs all significant errors encountered during this serve() method, as it does for TLS handshake error and panics in the handlers?

[bradfitz]

Sure. Want to do it?

[kennygrant]

Yes sure, I'll have a look through the contribution guidelines and see if I can produce a patch for you. My preference would be to add a c.server.logf call for both:

413 Request Entity Too Large
400 Bad Request

and then add the error text to the response body in each case too as above. Does that sound ok as a starting point?

[bradfitz]

Why don't you start with just the response body/bodies CL (change) first and then do the logging as a follow-up? I'd rather see a number of smaller changes than one containing a bunch of unrelated stuff. This is always true, but especially true when you're first learning the code review system.

[kennygrant]

OK Will do. Thanks.

[kennygrant]

I've added this for code review - net/http: add response body to 413 and 400 errors

https://go-review.googlesource.com/15018

hopefully I did that correctly.

[gopherbot]

CL https://golang.org/cl/15018 mentions this issue.

[kennygrant]

I've added a revision to take in your comments, which adds the new headers you recommended. Since it's a bit more complex now (several lines of headers) and both are similar I've put it into an unexported sendError method, which simplifies the response inside serve() to just c.sendError(StatusBadRequest).

[dpc]

Did the followup ever happened? I'd like to be able to report-up the bad requests, and it seems they are not getting logged through http.Server.LogError.

[bradfitz]

Looks like it didn't. @kennygrant sent https://golang.org/cl/15018 with the text "Fixes #nnn" (which closed this issue), but the original issue was never addressed.

We don't normally reopen issues, but it seems appropriate here.

@kennygrant, do you want to continue?