Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upnet/http: various HTTP/0.9 bugs #16197
Closed
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As noted in an email from @regilero, Go's "support" for HTTP/0.9 is quite inconsistent.
The HTTP/0.9 "spec" is at https://www.w3.org/Protocols/HTTP/AsImplemented.html
Notably, requests look like "GET /path", with no version number. Go's server rejects those with "HTTP/1.1 400 Bad Request". But if you make a request like:
... then Go replies like it's an HTTP/0.9 request (without response headers), even though that's not a valid HTTP/0.9 request at all. (it has a version number, and Go waits for the second
\r\nbefore replying, where HTTP/0.9 requests only have a single\r\n).So we should probably just kill all HTTP/0.9 support.
@regilero also mentioned there might be some cache poisoning or request smuggling possibilities here, but I don't see how. It seems to only affect the person making the bogus request. But there's also zero clients in the world who make these bogus requests, so it's easier to just delete support.