net/http: panic if path value is an asterisk

[ythosa]

Go version

go version go1.22.2 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/rbabin/Library/Caches/go-build'
GOENV='/Users/rbabin/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/rbabin/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/rbabin/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,https://goproxy.s.o3.ru'
GOROOT='/opt/homebrew/opt/go/libexec'
GOSUMDB='off'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/opt/go/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.2'
GCCGO='gccgo'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/fw/18w77_ld3zl9m3nx2mx6r8500000gn/T/go-build3980141414=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

I've wrote simple server and simple curl

curl -X GET "localhost:6006/files/*"

package main

import (
	"log"
	"net/http"
)

func fileHandler(w http.ResponseWriter, r *http.Request) {
	if r.PathValue("file") == "" {
		http.Error(w, "File not found", http.StatusNotFound)
		return
	}
}

func main() {
	http.HandleFunc("GET /files/{file...}", fileHandler)
	log.Printf("Listening on :6006\n")
	log.Fatal(http.ListenAndServe(":6006", nil))
}

What did you see happen?

2024/04/26 18:04:16 http: panic serving [::1]:58303: runtime error: index out of range [0] with length 0
goroutine 35 [running]:
net/http.(*conn).serve.func1()
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:1898 +0xb0
panic({0x102ed69c0?, 0x140001300f0?})
        /opt/homebrew/opt/go/libexec/src/runtime/panic.go:770 +0x124
net/http.(*Request).PathValue(...)
        /opt/homebrew/opt/go/libexec/src/net/http/request.go:1443
main.(*FileHandler).Serve(0xe8?, {0x102ef2d90?, 0x140001640e0?}, 0x10315ca68?)
        /Users/rbabin/Downloads/web-disk/simple/simple.go:13 +0xe8
net/http.HandlerFunc.ServeHTTP(0x1030770a0?, {0x102ef2d90?, 0x140001640e0?}, 0x102df68b8?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2166 +0x38
net/http.(*ServeMux).ServeHTTP(0x0?, {0x102ef2d90, 0x140001640e0}, 0x1400014e360)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2683 +0x1a4
net/http.serverHandler.ServeHTTP({0x14000120c90?}, {0x102ef2d90?, 0x140001640e0?}, 0x6?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x1400017a000, {0x102ef31f8, 0x14000120ba0})
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3285 +0x3f0
2024/04/26 18:04:17 http: panic serving [::1]:58309: runtime error: index out of range [0] with length 0
goroutine 37 [running]:
net/http.(*conn).serve.func1()
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:1898 +0xb0
panic({0x102ed69c0?, 0x14000130150?})
        /opt/homebrew/opt/go/libexec/src/runtime/panic.go:770 +0x124
net/http.(*Request).PathValue(...)
        /opt/homebrew/opt/go/libexec/src/net/http/request.go:1443
main.(*FileHandler).Serve(0xe8?, {0x102ef2d90?, 0x140001641c0?}, 0x10315ca68?)
        /Users/rbabin/Downloads/web-disk/simple/simple.go:13 +0xe8
net/http.HandlerFunc.ServeHTTP(0x1030770a0?, {0x102ef2d90?, 0x140001641c0?}, 0x102df68b8?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2166 +0x38
net/http.(*ServeMux).ServeHTTP(0x0?, {0x102ef2d90, 0x140001641c0}, 0x1400014e6c0)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2683 +0x1a4
net/http.serverHandler.ServeHTTP({0x14000120e40?}, {0x102ef2d90?, 0x140001641c0?}, 0x6?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x1400017a1b0, {0x102ef31f8, 0x14000120ba0})
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3285 +0x3f0
2024/04/26 18:05:03 http: panic serving [::1]:58546: runtime error: index out of range [0] with length 0
goroutine 50 [running]:
net/http.(*conn).serve.func1()
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:1898 +0xb0
panic({0x102ed69c0?, 0x14000224018?})
        /opt/homebrew/opt/go/libexec/src/runtime/panic.go:770 +0x124
net/http.(*Request).PathValue(...)
        /opt/homebrew/opt/go/libexec/src/net/http/request.go:1443
main.(*FileHandler).Serve(0xe8?, {0x102ef2d90?, 0x1400022c000?}, 0x10315cf18?)
        /Users/rbabin/Downloads/web-disk/simple/simple.go:13 +0xe8
net/http.HandlerFunc.ServeHTTP(0x1030770a0?, {0x102ef2d90?, 0x1400022c000?}, 0x102df68b8?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2166 +0x38
net/http.(*ServeMux).ServeHTTP(0x0?, {0x102ef2d90, 0x1400022c000}, 0x14000222000)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2683 +0x1a4
net/http.serverHandler.ServeHTTP({0x14000204090?}, {0x102ef2d90?, 0x1400022c000?}, 0x6?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x14000208000, {0x102ef31f8, 0x14000120ba0})
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3285 +0x3f0

What did you expect to see?

I'm expecting that my server won't panic if i provide an asterisk to path variable

[seankhliao]

cc @neild @jba

[gopherbot]

Change https://go.dev/cl/581977 mentions this issue: net/http: check index-out-of-bounds for Request.matches in PathValue, SetPathValue

[gopherbot]

Change https://go.dev/cl/582115 mentions this issue: net/http: represent multi wildcards properly