New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: request body errors don't close a connection #11930
Comments
I don't quite follow. What type of errors? Can you give a concrete example? How can you trick a server into reading a further request? We shouldn't ever be reusing the connection unless the body has been consumed. |
This is fixed in https://go-review.googlesource.com/#/c/12865/ |
A simple example is Timeout errors are ignored, too. though. You can smuggle a request basically by doing:
|
CL https://golang.org/cl/12865 mentions this issue. |
I do think we need to fix this for Go 1.5, now that I've looked at it. Timing sucks because I'm on vacation but I'll review the CL more when I get laptop net access again in a few hours. |
After an HTTP server parses a request's headers, it essentially passes control of the protocol handling to a request body Reader. Generally, this Reader either consumes up to the number bytes specified by Content-Length, or follows a chunked encoded entity.
But, errors encountered at this stage are completely ignored by the server. Broken connections are left in tact, and the server will attempt to read further requests from them.
This is a vector for request smuggling.
The text was updated successfully, but these errors were encountered: