Skip to content

net/http: CanonicalHeaderKey capitalization is non-conformant with RFC 6455 #18495

Closed
@shosti

Description

@shosti

What version of Go are you using (go version)?

go version go1.7.4 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/shosti/go"
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build649225145=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Minimal reproduction: https://play.golang.org/p/jMuUMK5TDL

What did you expect to see?

According to RFC 6455, headers for WebSocket upgrades are capitalized as Sec-WebSocket-* (e.g. Sec-WebSocket-Key). CanonicalHeaderKey should canonicalize those headers to be compliant with the spec.

What did you see instead?

CanonicalizeHeaderKey returns header keys capitalized as Sec-Websocket-* (without the uppercase S in Socket).

While this may not seem like a big deal, I've encountered real-world servers that rely on the correct capitalization (obviously not a good idea). It's especially problematic because all HTTP request parsing canonicalizes the header keys. This has led to some pretty severe issues with a proxy server I had running in production that had to forward WebSocket requests to arbitrary servers.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions