net/http: invalid HTTP version parsing in requests #46587
Description
What version of Go are you using (go version)?
$ go version go version go1.16.5 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/mkg/.cache/go-build" GOENV="/home/mkg/.config/go/env" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/mkg/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/mkg/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/opt/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/opt/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.16.5" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/dev/null" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1401941949=/tmp/go-build -gno-record-gcc-switches"
What did you do?
package main
import (
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Hello"))
})
http.ListenAndServe(":8080", nil)
}Run the above program and send the following request:
GET / HTTP/1.+1
Host: localhost:8080
This can easily be done with the following one-liner:
echo -en "GET / HTTP/1.+1\r\nHost: localhost:8080\r\n\r\n" | nc localhost 8080What did you expect to see?
A response with the status 505 HTTP Version Not Supported.
What did you see instead?
A HTTP/1.1 200 OK response.
Further details
net/http interprets all of the following version strings as 1.1 when sent in requests:
+1.1
1.+1
0000000001.1
1.0000000001
Note that RFC 7230 specifies that the HTTP version should only be one single digit, a period and then another single digit. https://datatracker.ietf.org/doc/html/rfc7230#section-2.6
(This was found by Mattias Grenfeldt and Asta Olofsson)