Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Server does not validate of HTTP method like Transport and NewRequest #18319

Closed
glasser opened this issue Dec 14, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@glasser
Copy link
Contributor

commented Dec 14, 2016

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.7.4 or current master.

What operating system and processor architecture are you using (go env)?

Linux, Mac, all.

What did you do?

I observed that http.Transport.RoundTrip and http.NewRequest use the validMethod function to validate that the request's method is syntactically valid, but http.Server does not. This is different behavior than, say, the validation of header names which is done in both directions.

(I specifically noticed this because it's a mechanism by which straightforward use of httputil.ReverseProxy can lead to an error in RoundTripping the request which is the fault of the original client, not the backend server.)

@bradfitz agreed with me that this is a bug and asked me to file it.

See https://play.golang.org/p/DUHElpDb-u

What did you expect to see?

I expected http.Server to have the same validation as http.NewRequest and http.Transport.RoundTrip and reject incoming requests with Method GE)T before getting to the handler.

What did you see instead?

In the playground you can see that the handler is invoked with Method GE)T.

@glasser glasser changed the title net/http: Validation of HTTP method is not done by the server net/http: Server does not validate of HTTP method like Transport and NewRequest Dec 14, 2016

@bradfitz bradfitz added this to the Go1.9 milestone Dec 14, 2016

@gopherbot

This comment has been minimized.

Copy link

commented Dec 15, 2016

CL https://golang.org/cl/34470 mentions this issue.

@gopherbot gopherbot closed this in bb41b4d Feb 1, 2017

@golang golang locked and limited conversation to collaborators Feb 1, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.