Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Server and ReadRequest not requiring CRLF to end request-line and headers #19106

Closed
danp opened this issue Feb 15, 2017 · 4 comments

Comments

Projects
None yet
4 participants
@danp
Copy link
Contributor

commented Feb 15, 2017

What version of Go are you using (go version)?

go version devel +79fab70a63 Wed Feb 15 09:26:33 2017 +0000 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/dan.peterson/Projects/go"
GORACE=""
GOROOT="/Users/dan.peterson/Projects/go/project/go"
GOTOOLDIR="/Users/dan.peterson/Projects/go/project/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/5b/rh45nd3n5sz5phl9s2kx8vwhng20hp/T/go-build354372830=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

https://play.golang.org/p/Lb7xVfo9i3

What did you expect to see?

A ReadRequest error and a 400 from the test server.

What did you see instead?

No ReadRequest error and success from the test server.

https://tools.ietf.org/html/rfc2616#section-5 says the request-line, each header, and the header section must end in CRLF. Server and ReadRequest don't seem to be enforcing this.

@mvdan

This comment has been minimized.

Copy link
Member

commented Feb 15, 2017

@bradfitz

This comment has been minimized.

Copy link
Member

commented Feb 15, 2017

I'm pretty sure Go has behaved like this from day 1, before I was involved.

I'd be willing to try to change it and see what explodes, as long as the majority of popular servers also reject it. Do they? What do Apache and nginx and Google's GFE do? (I'm busy today, so maybe somebody else can check and report back)

@bradfitz bradfitz added this to the Go1.9Maybe milestone Feb 15, 2017

@danp

This comment has been minimized.

Copy link
Contributor Author

commented Feb 15, 2017

Expanded the playground program to take a URL argument and tried it on google.com and nginx.com, seems both accept the request.

So maybe leave it? Worth documenting somewhere?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Feb 15, 2017

Thanks for investigating. I don't think it's worth documenting. If we documented every HTTP/1 quirk we'd drown out the useful package documentation.

@bradfitz bradfitz closed this Feb 15, 2017

@golang golang locked and limited conversation to collaborators Feb 15, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.