net/http: Server does not validate of HTTP method like Transport and NewRequest #18319
Labels
FrozenDueToAge
help wanted
Suggested
Issues that may be good for new contributors looking for work to do.
Milestone
Comments
glasser
changed the title
bradfitz
added
help wanted
Suggested
|
CL https://golang.org/cl/34470 mentions this issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version)?1.7.4 or current master.
What operating system and processor architecture are you using (
go env)?Linux, Mac, all.
What did you do?
I observed that
http.Transport.RoundTripandhttp.NewRequestuse thevalidMethodfunction to validate that the request's method is syntactically valid, buthttp.Serverdoes not. This is different behavior than, say, the validation of header names which is done in both directions.(I specifically noticed this because it's a mechanism by which straightforward use of httputil.ReverseProxy can lead to an error in RoundTripping the request which is the fault of the original client, not the backend server.)
@bradfitz agreed with me that this is a bug and asked me to file it.
See https://play.golang.org/p/DUHElpDb-u
What did you expect to see?
I expected
http.Serverto have the same validation ashttp.NewRequestandhttp.Transport.RoundTripand reject incoming requests with MethodGE)Tbefore getting to the handler.What did you see instead?
In the playground you can see that the handler is invoked with Method
GE)T.The text was updated successfully, but these errors were encountered: