net/http: Server does not validate of HTTP method like Transport and NewRequest #18319
Labels
FrozenDueToAge
help wanted
Suggested
Issues that may be good for new contributors looking for work to do.
Milestone
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?1.7.4 or current master.
What operating system and processor architecture are you using (
go env
)?Linux, Mac, all.
What did you do?
I observed that
http.Transport.RoundTrip
andhttp.NewRequest
use thevalidMethod
function to validate that the request's method is syntactically valid, buthttp.Server
does not. This is different behavior than, say, the validation of header names which is done in both directions.(I specifically noticed this because it's a mechanism by which straightforward use of httputil.ReverseProxy can lead to an error in RoundTripping the request which is the fault of the original client, not the backend server.)
@bradfitz agreed with me that this is a bug and asked me to file it.
See https://play.golang.org/p/DUHElpDb-u
What did you expect to see?
I expected
http.Server
to have the same validation ashttp.NewRequest
andhttp.Transport.RoundTrip
and reject incoming requests with MethodGE)T
before getting to the handler.What did you see instead?
In the playground you can see that the handler is invoked with Method
GE)T
.The text was updated successfully, but these errors were encountered: