Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: bad handling of HEAD requests with a body [1.19 backport] #56154

Open
gopherbot opened this issue Oct 11, 2022 · 4 comments
Open

net/http: bad handling of HEAD requests with a body [1.19 backport] #56154

gopherbot opened this issue Oct 11, 2022 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases
Milestone

Comments

@gopherbot
Copy link

gopherbot commented Oct 11, 2022

@bobby-stripe requested issue #53960 to be considered for backport to the next 1.19 minor release.

@gopherbot please consider this for backport to 1.19, it's a serious problems with no workaround.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Oct 11, 2022
@gopherbot gopherbot added this to the Go1.19.3 milestone Oct 11, 2022
@bobby-stripe
Copy link

bobby-stripe commented Oct 11, 2022

We have a Go service that results in user-facing 503s when it gets a HEAD request with a body, and as this happens so low in the net/http stack we don't have a good way to distinguish these 5xxs from more actionable errors. I believe this meets the criteria for a backport from MinorReleases, but happy to discuss more!

@neild
Copy link
Contributor

neild commented Oct 12, 2022

I don't have a strong opinion on whether this should be backported.

The impact is that we treat a HEAD request with a body as a protocol error. HEAD requests with a body are uncommon enough that (AFAIK) the first report of the problem was found via fuzzing.

This is not a security issue. It has no workaround, however, so the question for whether it meets the backport criteria turns on whether it's serious or not.

@dr2chase dr2chase added the CherryPickApproved Used during the release process for point releases label Oct 19, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Oct 19, 2022
@dr2chase
Copy link
Contributor

dr2chase commented Oct 19, 2022

See also #56323.

@gopherbot gopherbot modified the milestones: Go1.19.3, Go1.19.4 Nov 1, 2022
@mknyszek
Copy link
Contributor

mknyszek commented Nov 8, 2022

Ping for updates here to make sure this approved cherry-pick is moves along. It's been approved for about 20 days now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CherryPickApproved Used during the release process for point releases
Projects
None yet
Development

No branches or pull requests

5 participants