Skip to content

net/http: ServeContent serves wrong headers if request range is invalid #50905

Closed
@mitar

Description

@mitar

What version of Go are you using (go version)?

go version go1.17.6 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mitar/.cache/go-build"
GOENV="/home/mitar/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/mitar/.go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/mitar/.go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="/usr/bin/gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build622347340=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I am serving a static blob using ServeContent, setting both Content-Length and Etag:

w.Header().Set("Content-Type", "application/json")
w.Header().Set("Content-Length", strconv.Itoa(len(jsonBody)))
w.Header().Set("Etag", etag)
http.ServeContent(w, req, "", time.Time{}, bytes.NewReader(jsonBody))

Setting Etag and Content-Length is recommended way to set those headers if one wants them.

When making an invalid range request, e.g., for a blob of 586 bytes, I do:

$ curl -X GET  "localhost:8080/blob" -D - --range 1000-

What did you expect to see?

HTTP/1.1 416 Requested Range Not Satisfiable
Content-Length: 33
Content-Range: bytes */586
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Sat, 29 Jan 2022 15:49:20 GMT

invalid range: failed to overlap

What did you see instead?

HTTP/1.1 416 Requested Range Not Satisfiable
Content-Length: 586
Content-Range: bytes */586
Content-Type: text/plain; charset=utf-8
Etag: "PxeeQ4qvnmrUjKmQLetFD2Xk34YDMF86fdlp-esVkBQ"
X-Content-Type-Options: nosniff
Date: Sat, 29 Jan 2022 15:49:20 GMT

invalid range: failed to overlap
curl: (18) transfer closed with 553 bytes remaining to read

There is:

  • Invalid Content-Length header.
  • Etag does not really hold for this content, so it should be removed.

Content-Range is in fact valid, see #15798.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions