Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Server and ReadRequest not requiring CRLF to end request-line and headers #19106

Closed
danp opened this issue Feb 15, 2017 · 4 comments
Closed

Comments

@danp
Copy link
Contributor

danp commented Feb 15, 2017

What version of Go are you using (go version)?

go version devel +79fab70a63 Wed Feb 15 09:26:33 2017 +0000 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/dan.peterson/Projects/go"
GORACE=""
GOROOT="/Users/dan.peterson/Projects/go/project/go"
GOTOOLDIR="/Users/dan.peterson/Projects/go/project/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/5b/rh45nd3n5sz5phl9s2kx8vwhng20hp/T/go-build354372830=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

https://play.golang.org/p/Lb7xVfo9i3

What did you expect to see?

A ReadRequest error and a 400 from the test server.

What did you see instead?

No ReadRequest error and success from the test server.

https://tools.ietf.org/html/rfc2616#section-5 says the request-line, each header, and the header section must end in CRLF. Server and ReadRequest don't seem to be enforcing this.

@mvdan
Copy link
Member

mvdan commented Feb 15, 2017

cc @bradfitz

@bradfitz
Copy link
Contributor

I'm pretty sure Go has behaved like this from day 1, before I was involved.

I'd be willing to try to change it and see what explodes, as long as the majority of popular servers also reject it. Do they? What do Apache and nginx and Google's GFE do? (I'm busy today, so maybe somebody else can check and report back)

@bradfitz bradfitz added this to the Go1.9Maybe milestone Feb 15, 2017
@danp
Copy link
Contributor Author

danp commented Feb 15, 2017

Expanded the playground program to take a URL argument and tried it on google.com and nginx.com, seems both accept the request.

So maybe leave it? Worth documenting somewhere?

@bradfitz
Copy link
Contributor

Thanks for investigating. I don't think it's worth documenting. If we documented every HTTP/1 quirk we'd drown out the useful package documentation.

@golang golang locked and limited conversation to collaborators Feb 15, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants