Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upnet/http: various HTTP/0.9 bugs #16197
Comments
bradfitz
added
the
NeedsFix
label
Jun 27, 2016
bradfitz
added this to the Go1.7Maybe milestone
Jun 27, 2016
bradfitz
self-assigned this
Jun 27, 2016
This comment has been minimized.
This comment has been minimized.
gopherbot
commented
Jun 27, 2016
|
CL https://golang.org/cl/24505 mentions this issue. |
gopherbot
closed this
in
3e9d6e0
Jun 27, 2016
golang
locked and limited conversation to collaborators
Jun 27, 2017
gopherbot
added
the
FrozenDueToAge
label
Jun 27, 2017
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
bradfitz commentedJun 27, 2016
As noted in an email from @regilero, Go's "support" for HTTP/0.9 is quite inconsistent.
The HTTP/0.9 "spec" is at https://www.w3.org/Protocols/HTTP/AsImplemented.html
Notably, requests look like "GET /path", with no version number. Go's server rejects those with "HTTP/1.1 400 Bad Request". But if you make a request like:
... then Go replies like it's an HTTP/0.9 request (without response headers), even though that's not a valid HTTP/0.9 request at all. (it has a version number, and Go waits for the second
\r\nbefore replying, where HTTP/0.9 requests only have a single\r\n).So we should probably just kill all HTTP/0.9 support.
@regilero also mentioned there might be some cache poisoning or request smuggling possibilities here, but I don't see how. It seems to only affect the person making the bogus request. But there's also zero clients in the world who make these bogus requests, so it's easier to just delete support.