Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: Server and ReadRequest not requiring CRLF to end request-line and headers #19106

Closed
danp opened this issue Feb 15, 2017 · 4 comments
Closed

net/http: Server and ReadRequest not requiring CRLF to end request-line and headers #19106

danp opened this issue Feb 15, 2017 · 4 comments
Labels
FrozenDueToAge
Milestone
Go1.9Maybe

Comments

@danp
Copy link
Contributor

@danp danp commented Feb 15, 2017

What version of Go are you using (go version)?

go version devel +79fab70a63 Wed Feb 15 09:26:33 2017 +0000 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/dan.peterson/Projects/go"
GORACE=""
GOROOT="/Users/dan.peterson/Projects/go/project/go"
GOTOOLDIR="/Users/dan.peterson/Projects/go/project/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/5b/rh45nd3n5sz5phl9s2kx8vwhng20hp/T/go-build354372830=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

https://play.golang.org/p/Lb7xVfo9i3

What did you expect to see?

A ReadRequest error and a 400 from the test server.

What did you see instead?

No ReadRequest error and success from the test server.

https://tools.ietf.org/html/rfc2616#section-5 says the request-line, each header, and the header section must end in CRLF. Server and ReadRequest don't seem to be enforcing this.
@mvdan
Copy link
Member

@mvdan mvdan commented Feb 15, 2017

cc @bradfitz
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Feb 15, 2017

I'm pretty sure Go has behaved like this from day 1, before I was involved.

I'd be willing to try to change it and see what explodes, as long as the majority of popular servers also reject it. Do they? What do Apache and nginx and Google's GFE do? (I'm busy today, so maybe somebody else can check and report back)
@bradfitz bradfitz added this to the Go1.9Maybe milestone Feb 15, 2017
@danp
Copy link
Contributor Author

@danp danp commented Feb 15, 2017

Expanded the playground program to take a URL argument and tried it on google.com and nginx.com, seems both accept the request.

So maybe leave it? Worth documenting somewhere?
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Feb 15, 2017

Thanks for investigating. I don't think it's worth documenting. If we documented every HTTP/1 quirk we'd drown out the useful package documentation.
@bradfitz bradfitz closed this Feb 15, 2017
@golang golang locked and limited conversation to collaborators Feb 15, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.9Maybe
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
@danp @bradfitz @mvdan @gopherbot
You can’t perform that action at this time.