Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: incomplete http host header passed with net/http on go 1.5.1 #12997

Closed
nishanthb opened this issue Oct 20, 2015 · 3 comments

Comments

Projects
None yet
4 participants
@nishanthb
Copy link

commented Oct 20, 2015

This code below results in an incomplete HTTP Host header being passed on go version go1.5.1 linux/amd64. Older versions did not show this problem (tested on go version go1.3 linux/amd64)

package main

import (
"fmt"
"net/url"
"net/http"
"strings"
)

func main() {
uv := url.Values{"data":{"test"}}.Encode()
client := &http.Client{}
req,_ := http.NewRequest("POST","http://localhost:8000",strings.NewReader(uv))
req.Host = http://www.myhost.com
req.Header.Add("Content-Type","application/x-www-form-urlencoded")
req.Header.Add("Content-Length",string(len(uv)))
resp,err := client.Do(req)
if err != nil {
fmt.Println("Got err: ", err)
}
fmt.Println(resp)
}

Request sent (go version go1.5.1 linux/amd64)

POST / HTTP/1.1
Host: http:
User-Agent: Go-http-client/1.1
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

data=test

Request sent (go version go1.3 linux/amd64)

POST / HTTP/1.1
Host: http://www.myhost.com
User-Agent: Go 1.1 package http
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

data=test

Thanks,
Nishanth

@davecheney

This comment has been minimized.

Copy link
Contributor

commented Oct 20, 2015

Technically both versions are non compliant.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html says the Host header
may contain only a hostname and an optional port.

The workaround for you is to not pass a URL to that field.

I think the solution would be to leverage the fact that method returns an
error and do some validation before issuing the request.

/cc @bradfitz

On Tue, Oct 20, 2015 at 4:30 PM, Nishanth B notifications@github.com
wrote:

This code below results in an incomplete HTTP Host header being passed on
go version go1.5.1 linux/amd64. Older versions did not show this problem
(tested on go version go1.3 linux/amd64)

package main

import (
"fmt"
"net/url"
"net/http"
"strings"
)

func main() {
uv := url.Values{"data":{"test"}}.Encode()
client := &http.Client{}
req,_ := http.NewRequest("POST","http://localhost:8000
",strings.NewReader(uv))
req.Host = http://www.myhost.com
req.Header.Add("Content-Type","application/x-www-form-urlencoded")
req.Header.Add("Content-Length",string(len(uv)))
resp,err := client.Do(req)
if err != nil {
fmt.Println("Got err: ", err)
}
fmt.Println(resp)
}

Request sent (go version go1.5.1 linux/amd64)

POST / HTTP/1.1
Host: http:
User-Agent: Go-http-client/1.1
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

data=test

Request sent (go version go1.3 linux/amd64)

POST / HTTP/1.1
Host: http://www.myhost.com
User-Agent: Go 1.1 package http
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

data=test

Thanks,
Nishanth


Reply to this email directly or view it on GitHub
#12997.

@rakyll rakyll changed the title Incomplete http host header passed with net/http on go 1.5.1 net/http: incomplete http host header passed with net/http on go 1.5.1 Oct 20, 2015

@bradfitz

This comment has been minimized.

Copy link
Member

commented Oct 20, 2015

What @davecheney said.

@bradfitz bradfitz closed this Oct 20, 2015

@bradfitz

This comment has been minimized.

Copy link
Member

commented Oct 20, 2015

Also this is wrong:

req.Header.Add("Content-Length",string(len(uv)))

That will not produce the right answer at all. string(int) doesn't do what you think.

@golang golang locked and limited conversation to collaborators Oct 24, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.