You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
net/http: Write() or Flush() on http.ResponseWriter after http.Handler has finished causes either panic or writing to response of ANOTHER request.
#19959
Closed
matope opened this issue
Apr 13, 2017
· 2 comments
I've found 2 issues around Flush() ing on http.ResponseWriter after the http.Handler has finished. The first problem is it causes panic. The later one is that Write()ing on the http.ResponseWriter is redirected to the response of another request. I'd like to report them.
Flush() to the ResponseWriter after the http.ResponseWriter from separated goroutine causes a panic. I think it's because the http.response.w is reset with Reset(nil) to put it to the buffer pool(ref: go/server.go at master · golang/go ) in order to reuse it. And bufio.Writer.Flush() with nil underlying-buffer causes panic (ref: #9657 )).
I think it's not very good manner writing to ResponseWriter after the handler has been finished. But we don't have ways to know if the handler has finished exactly (before the bufio.Writer.Reset(nil)).
Also you can use repeated Write() insted of Flush() because bufio.Writer.Write() potentially invoke its Flush() internally.
Issue 2(writing to the response of another request)
To make matters worse, because of the reuse of http.response.w, we can write to the response of another request unexpectedly (or expectedly).
IMHO, though the first issue(panic) might not be a big problem, the later one should be fixed (in net/http package). I think it might be a kind of vulnerability because third party HTTP middleware could hijack any other HTTP handler running on the same HTTP.Server.
How do you think about this?
The text was updated successfully, but these errors were encountered:
matope
changed the title
net/http: Flush() (or Write()) on http.ResponseWriter after http.Handler has finished causes either panic or writing to response of ANOTHER request.
net/http: Write() or Flush() on http.ResponseWriter after http.Handler has finished causes either panic or writing to response of ANOTHER request.
Apr 13, 2017
I've found 2 issues around
Flush()
ing on http.ResponseWriter after the http.Handler has finished. The first problem is it causes panic. The later one is thatWrite()
ing on the http.ResponseWriter is redirected to the response of another request. I'd like to report them.My version and env
go version go1.8 darwin/amd64
Issue 1(panic)
I can reproduce it on playground.
https://play.golang.org/p/63aDsPEvZ1
Flush()
to the ResponseWriter after the http.ResponseWriter from separated goroutine causes a panic. I think it's because the http.response.w is reset withReset(nil)
to put it to the buffer pool(ref: go/server.go at master · golang/go ) in order to reuse it. Andbufio.Writer.Flush()
with nil underlying-buffer causes panic (ref: #9657 )).I think it's not very good manner writing to ResponseWriter after the handler has been finished. But we don't have ways to know if the handler has finished exactly (before the
bufio.Writer.Reset(nil)
).Also you can use repeated
Write()
insted ofFlush()
becausebufio.Writer.Write()
potentially invoke itsFlush()
internally.Issue 2(writing to the response of another request)
To make matters worse, because of the reuse of
http.response.w
, we can write to the response of another request unexpectedly (or expectedly).https://play.golang.org/p/5z6VbtwqnR
workaround to handle this issue
I think we can avoid this issue like below.
fixed version of first problem. https://play.golang.org/p/jfn1cG0006
fixed version of later problem. https://play.golang.org/p/7hmjZDuE7a
IMHO, though the first issue(panic) might not be a big problem, the later one should be fixed (in
net/http
package). I think it might be a kind of vulnerability because third party HTTP middleware could hijack any other HTTP handler running on the sameHTTP.Server
.How do you think about this?
The text was updated successfully, but these errors were encountered: