net/http: Server and ReadRequest not requiring CRLF to end request-line and headers #19106
Labels
Milestone
Comments
cc @bradfitz |
I'm pretty sure Go has behaved like this from day 1, before I was involved. I'd be willing to try to change it and see what explodes, as long as the majority of popular servers also reject it. Do they? What do Apache and nginx and Google's GFE do? (I'm busy today, so maybe somebody else can check and report back) |
Expanded the playground program to take a URL argument and tried it on google.com and nginx.com, seems both accept the request. So maybe leave it? Worth documenting somewhere? |
Thanks for investigating. I don't think it's worth documenting. If we documented every HTTP/1 quirk we'd drown out the useful package documentation. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version
)?What operating system and processor architecture are you using (
go env
)?What did you do?
https://play.golang.org/p/Lb7xVfo9i3
What did you expect to see?
A ReadRequest error and a 400 from the test server.
What did you see instead?
No ReadRequest error and success from the test server.
https://tools.ietf.org/html/rfc2616#section-5 says the request-line, each header, and the header section must end in CRLF. Server and ReadRequest don't seem to be enforcing this.
The text was updated successfully, but these errors were encountered: