Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Server does not validate of HTTP method like Transport and NewRequest #18319

glasser opened this issue Dec 14, 2016 · 1 comment


Copy link

@glasser glasser commented Dec 14, 2016

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.7.4 or current master.

What operating system and processor architecture are you using (go env)?

Linux, Mac, all.

What did you do?

I observed that http.Transport.RoundTrip and http.NewRequest use the validMethod function to validate that the request's method is syntactically valid, but http.Server does not. This is different behavior than, say, the validation of header names which is done in both directions.

(I specifically noticed this because it's a mechanism by which straightforward use of httputil.ReverseProxy can lead to an error in RoundTripping the request which is the fault of the original client, not the backend server.)

@bradfitz agreed with me that this is a bug and asked me to file it.


What did you expect to see?

I expected http.Server to have the same validation as http.NewRequest and http.Transport.RoundTrip and reject incoming requests with Method GE)T before getting to the handler.

What did you see instead?

In the playground you can see that the handler is invoked with Method GE)T.

@glasser glasser changed the title net/http: Validation of HTTP method is not done by the server net/http: Server does not validate of HTTP method like Transport and NewRequest Dec 14, 2016
@bradfitz bradfitz added this to the Go1.9 milestone Dec 14, 2016
Copy link

@gopherbot gopherbot commented Dec 15, 2016

CL mentions this issue.

@gopherbot gopherbot closed this in bb41b4d Feb 1, 2017
@golang golang locked and limited conversation to collaborators Feb 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.