New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: parse and ignore chunked encoding's chunk-extension #13135
Comments
Yes, I guess we don't parse Did this come up in real life, or is it contrived? |
We are running our proxy through a bunch of HTTP conformity tests. I think is not very common, but it should be cleanly ignored. HTTP specification states that applications / proxies should just ignore them if they don't understand them. Ideally, we parse them, but otherwise I think just ignoring them is fine. |
In particular this arose through tests for HTTP proxy spec conformity with co-advisor, which is a very handy tool. We agree it's not used in practice @bradfitz, but it would be good if it didn't crash as it creates an incredibly easy attack vector for anyone trying to attack the server. |
To be clear, it's not crashing, right? It's just truncating the request body? This is an easy fix, though. |
With Go 1.5.1 on Debian Jessie:
|
The other tests that trigger it.
|
I believe all of those |
The panic reported here is unrelated to chunked-extensions. The panic comes from finishRequest trying to call req.Body = nil But if you actually looked at the error value from httputil.DumpRequest, you can see that it's a valid error, not a panic:
That's it not understanding chunk extensions. The reason that DumpRequest sets the body to nil is because it can't synthesize an equivalent body after failing to read it in the first place. (see docs for DumpRequest on why it needs to do that... the body is just an io.Reader and can't be rewound, so it's recorded instead) |
Thank you for checking it out! |
CL https://golang.org/cl/16572 mentions this issue. |
The Server's server goroutine was panicing (but recovering) when cleaning up after handling a request. It was pretty harmless (it just closed that one connection and didn't kill the whole process) but it was distracting. Updates #13135 Change-Id: I2a0ce9e8b52c8d364e3f4ce245e05c6f8d62df14 Reviewed-on: https://go-review.googlesource.com/16572 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
CL https://golang.org/cl/16680 mentions this issue. |
Note that https://golang.org/cl/16680 fixes it, but not if the line containing the chunk length is over 4KB. I'm not going out of my way to support that. Since nobody uses chunk extensions anyway, it follows that nobody uses chunk extensions over 4KB. If you do, you deserve to be truncated. |
Thank you @bradfitz. That is great. Do these patches get into the next minor version of Go? |
Oh, I see the milestone is 1.6. Thanks! |
The server:
HTTP request:
More information
localhost
host is irrelevant. Using the server address triggers it too.The text was updated successfully, but these errors were encountered: