-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: GET request hangs if "Content-Length" reqest-header field ist set (possible DoS vulnerability) #33269
Comments
If you are sending non-zero |
since a request body does not make any sense in most cases for a GET request, the idle-timeout for waiting for the body data could be automatically decreased. |
For this to be a security issue, it should bypass the server timeouts, as otherwise there are a number of ways to get the server to wait until the timeout. Could you provide the code or command you are using to generate the request? |
i have used the "Advanced REST Client" (https://install.advancedrestclient.com/install) |
Further investigation shows, that an nginx server which serves static files seems to ignore this field. nginx with php-fpm activated folder shows the same behaviour...
|
From this..
I believe appropriate course of action is to have all handlers read the request body to the end, and make use of ReadTimeout and ReadHeaderTimeout on Server. |
I am not sure about the definition of "end". If there's a content length given and the data is needed the end correlates with the data length. |
@je4 thank you for this report! So we've been thinking about this for a while as per #13722 /cc @bradfitz and in 2016 @bradfitz added a great suggestion to perhaps make an opt-in knob #13722 (comment) to accept GET bodies. My data point to accept bodies with GETs is that in the wild and even widely encouraged is Elastic search which permits GET with bodies e.g. https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-body.html. Your reference in #33269 (comment) doesn't necessarily apply as apples-to-apples because most of those are consumer sites whereas Go creates web servers so the business logic is what you are comparing yet this is a general purpose web server. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
sending a GET request to the native go http server with "Content-length" request parameter
What did you expect to see?
immediate response with error code 404 page not found (<2ms)
What did you see instead?
request hangs for very long time (>1min, client kills connection).
Initial debugging
it seems, that the function call w.finishRequest() in
func (c *conn) serve(ctx context.Context)
from server.go does not return. There is a problem in flushing the write buffer...The text was updated successfully, but these errors were encountered: