Description
What version of Go are you using (go version
)?
go version devel +7a8e8b2f19 Fri Oct 27 05:47:09 2017 +0000 darwin/amd64
go version go1.9.2 darwin/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env
)?
darwin/amd64
What did you do?
Send a wrong HTTP request as
"GET / HTTP/1.1\r\n Host: host\r\n\r\n"
. A right request should be
"GET / HTTP/1.1\r\nHost: host\r\n\r\n"
The Host
header should not be parsed according to RFC7230.
And the request may be rejected.
A recipient that receives whitespace between the
start-line and the first header field MUST either reject the message
as invalid or consume each whitespace-preceded line without further
processing of it (i.e., ignore the entire line, along with any
subsequent lines preceded by whitespace, until a properly formed
header field is received or the header section is terminated)
A runnable program is
package main
import (
"io"
"log"
"net"
"net/http"
"os"
"time"
)
func server() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Println(r.Host)
})
go func() {
log.Fatal(http.ListenAndServe("localhost:8000", nil))
}()
}
func request() {
conn, err := net.Dial("tcp", "localhost:8000")
if err != nil {
panic(err)
}
_, err = conn.Write([]byte("GET / HTTP/1.1\r\n Host: host\r\n\r\n"))
if err != nil {
panic(err)
}
go func() {
<-time.After(time.Millisecond * 100)
conn.Close()
}()
io.Copy(os.Stdout, conn)
}
func main() {
server()
request()
}
What did you expect to see?
The request fails because of missing Host header or the whitespace .
The response from Nginx is
HTTP/1.1 400 Bad Request
Server: nginx/1.13.3
Date: Fri, 27 Oct 2017 07:29:15 GMT
Content-Type: text/html
Content-Length: 173
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.13.3</center>
</body>
</html>
What did you see instead?
A successful request.
2017/10/27 15:35:36 host
HTTP/1.1 200 OK
Date: Fri, 27 Oct 2017 07:35:36 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8