Notably, requests look like "GET /path", with no version number. Go's server rejects those with "HTTP/1.1 400 Bad Request". But if you make a request like:
GET /path HTTP/0.9\r\n
\r\n
... then Go replies like it's an HTTP/0.9 request (without response headers), even though that's not a valid HTTP/0.9 request at all. (it has a version number, and Go waits for the second \r\n before replying, where HTTP/0.9 requests only have a single \r\n).
So we should probably just kill all HTTP/0.9 support.
@regilero also mentioned there might be some cache poisoning or request smuggling possibilities here, but I don't see how. It seems to only affect the person making the bogus request. But there's also zero clients in the world who make these bogus requests, so it's easier to just delete support.
The text was updated successfully, but these errors were encountered:
As noted in an email from @regilero, Go's "support" for HTTP/0.9 is quite inconsistent.
The HTTP/0.9 "spec" is at https://www.w3.org/Protocols/HTTP/AsImplemented.html
Notably, requests look like "GET /path", with no version number. Go's server rejects those with "HTTP/1.1 400 Bad Request". But if you make a request like:
... then Go replies like it's an HTTP/0.9 request (without response headers), even though that's not a valid HTTP/0.9 request at all. (it has a version number, and Go waits for the second
\r\nbefore replying, where HTTP/0.9 requests only have a single\r\n).So we should probably just kill all HTTP/0.9 support.
@regilero also mentioned there might be some cache poisoning or request smuggling possibilities here, but I don't see how. It seems to only affect the person making the bogus request. But there's also zero clients in the world who make these bogus requests, so it's easier to just delete support.
The text was updated successfully, but these errors were encountered: