Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: ServeContent serves wrong headers if request range is invalid #50905

Open
mitar opened this issue Jan 29, 2022 · 2 comments
Open

net/http: ServeContent serves wrong headers if request range is invalid #50905

mitar opened this issue Jan 29, 2022 · 2 comments
Labels
NeedsInvestigation
Milestone

Comments

@mitar
Copy link

@mitar mitar commented Jan 29, 2022

What version of Go are you using (go version)?

go version go1.17.6 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mitar/.cache/go-build"
GOENV="/home/mitar/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/mitar/.go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/mitar/.go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="/usr/bin/gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build622347340=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I am serving a static blob using ServeContent, setting both Content-Length and Etag:

w.Header().Set("Content-Type", "application/json")
w.Header().Set("Content-Length", strconv.Itoa(len(jsonBody)))
w.Header().Set("Etag", etag)
http.ServeContent(w, req, "", time.Time{}, bytes.NewReader(jsonBody))

Setting Etag and Content-Length is recommended way to set those headers if one wants them.

When making an invalid range request, e.g., for a blob of 586 bytes, I do:

$ curl -X GET  "localhost:8080/blob" -D - --range 1000-

What did you expect to see?

HTTP/1.1 416 Requested Range Not Satisfiable
Content-Length: 33
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Sat, 29 Jan 2022 15:49:20 GMT

invalid range: failed to overlap

What did you see instead?

HTTP/1.1 416 Requested Range Not Satisfiable
Content-Length: 586
Content-Range: bytes */586
Content-Type: text/plain; charset=utf-8
Etag: "PxeeQ4qvnmrUjKmQLetFD2Xk34YDMF86fdlp-esVkBQ"
X-Content-Type-Options: nosniff
Date: Sat, 29 Jan 2022 15:49:20 GMT

invalid range: failed to overlap
curl: (18) transfer closed with 553 bytes remaining to read

There is:

  • Invalid Content-Length header.
  • Etag does not really hold for this content, so it should be removed.

Content-Range is in fact valid, see #15798.

@toothrot toothrot added the NeedsInvestigation label Feb 4, 2022
@toothrot toothrot added this to the Backlog milestone Feb 4, 2022
@gopherbot
Copy link

@gopherbot gopherbot commented Apr 7, 2022

Change https://go.dev/cl/381956 mentions this issue: net/http: set/override Content-Length for encoded range requests

@mitar
Copy link
Author

@mitar mitar commented Apr 7, 2022

The reference was by a mistake. It is unrelated (or, partially related, but I do not think enough to be linked).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

3 participants