net/http: bad handling of HEAD requests with a body #53960
Description
HEAD requests may have a body, although RFC 7231 states that "some existing implementations" may reject a HEAD request which contains one.
The net/http package handles HEAD requests with a body in different ways:
- HTTP/1, non-chunked: return a 400 error, close the connection.
- HTTP/1,
Content-Encoding: chunked: ignore the chunked body (trying to parse it as the next request on the connection). Clearly buggy. Not a request smuggling mechanism, since the chunked body data can never be a valid HTTP request. - HTTP/2: close the stream with an error.
We should either support HEAD requests with a body in all circumstances, or fix the HTTP/1 chunked case and add a test for the HTTP/1 identity case. I think support, but I could be argued into always-reject on the grounds that nobody ever actually sends a body in a HEAD request.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this issue.