Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can httpclient send any character in http header? #23067

Closed
kxjhcs opened this issue Dec 9, 2017 · 2 comments
Closed

can httpclient send any character in http header? #23067

kxjhcs opened this issue Dec 9, 2017 · 2 comments

Comments

@kxjhcs
Copy link

kxjhcs commented Dec 9, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.10beta1 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"

What did you do?

i want to check the Vulnerability CVE-2006-3918,so i set http method as “<script>alert(12345)</script>”,then http.NewRequest return a error:"net/http: invalid method "<script>alert(12345)</script>"";

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

What did you expect to see?

httpclient can send any character in http header。

What did you see instead?

@acoshift
Copy link

acoshift commented Dec 9, 2017

I think you can directly use TCP Connection.

package main

import (
	"fmt"
	"io/ioutil"
	"log"
	"net"
)

func main() {
	addr, err := net.ResolveTCPAddr("tcp", "google.com:80")
	if err != nil {
		log.Fatal(err)
	}
	conn, err := net.DialTCP("tcp", nil, addr)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Fprintln(conn, "<script>alert(12345)</script> / HTTP/1.1")
	fmt.Fprintln(conn, "Host: google.com")
	fmt.Fprintln(conn, "Accept: */*")
	fmt.Fprintln(conn)
	err = conn.CloseWrite()
	if err != nil {
		log.Fatal(err)
	}
	data, err := ioutil.ReadAll(conn)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("%s", data)
}

@titanous
Copy link
Member

titanous commented Dec 9, 2017

For questions about Go, see https://golang.org/wiki/Questions

@titanous titanous closed this as completed Dec 9, 2017
@golang golang locked and limited conversation to collaborators Dec 9, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants