net/http: StripPrefix regression from fix for #30165 #31622
Comments
dmitshur
added
the
NeedsInvestigation
|
I suspect this is an unfortunate but intended consequence of fixing #30165. Code relying on that should be updated not to rely on it. That is, instead of: http.Handle("/foo/", http.StripPrefix("/foo/", h))It makes more sense to me to be writing: http.Handle("/foo/", http.StripPrefix("/foo", h))That leads to a more consistent behavior. Handlers almost always receive absolute request paths, and trying to handle or support paths that don't begin with a "/" is often going to be problematic or impossible. But I'll let Brad see if anything else can/should be done. /cc @bradfitz |
|
I agree it's a consequence, but it it is misleading to start with a cleaned path, strip a known prefix, and end up with a result where the full prefix was not stripped. Handlers that are coded to only be behind StripPrefix now have to also know that maybe a slash is not stripped, even if requested. The original problem exists because the file server is relying on r.URL.Path to be non-empty; the fix should be to check that it is non-empty before indexing into the path. The original code should also likely just be using FileServer. |
|
I think the original snippet be simplified to https://play.golang.org/p/qIYFprNaibv. |
|
Is there a decision on this? #30165 changed the behavior in this release cycle, and either a revert should to happen before 1.13, or a behavior change note should be made. |
|
A decision hasn't been made, and I agree it needs to be made by 1.13. Adding release-blocker label to make a decision on how to proceed here (to roll back the original fix, find a solution that keeps the original fix without introducing this regression, or to document the change in behavior). |
|
The change in CL 161738 unconditionally cleans the path, but to fix the original issue #30165, it would be sufficient to take action only when the post-strip path is the empty string. Cleaning the entire path in seems like it might be too large of a behavior change to make for I think a safe thing to do here would be to roll back the CL and apply a more targeted fix (perhaps for 1.14). |
dmitshur
added
NeedsDecision
|
In the past, poor interaction between By now, the bar for changing We'll roll back the original CL, reopen #30165, and try again. |
dmitshur
added
the
NeedsFix
gopherbot
removed
the
NeedsDecision
|
Change https://golang.org/cl/180498 mentions this issue: |
|
Change https://golang.org/cl/180499 mentions this issue: |
….Path Updates #30165 Updates #31622 Change-Id: I7a4b91aa7c5c3af8c0b1273cbb42046feddf7d78 Reviewed-on: https://go-review.googlesource.com/c/go/+/180499 Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
….Path Updates golang#30165 Updates golang#31622 Change-Id: I7a4b91aa7c5c3af8c0b1273cbb42046feddf7d78 Reviewed-on: https://go-review.googlesource.com/c/go/+/180499 Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
….Path Updates golang#30165 Updates golang#31622 Change-Id: I7a4b91aa7c5c3af8c0b1273cbb42046feddf7d78 Reviewed-on: https://go-review.googlesource.com/c/go/+/180499 Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
The fix for #30165 breaks code relying on the stripped prefix to elide a leading
/. If code relies on equality testing ofr.URL.Pathafter stripping a leading/path/, that code will break due to the new leading/.I raise this only because I have a test that ensures a response cannot change; that test failed on tip.
What did you do?
https://play.golang.org/p/84ozdbcJ8dm
What did you expect to see?
What did you see instead?
Does this issue reproduce with the latest release (go1.12.4)?
No, tip only.
System details
The text was updated successfully, but these errors were encountered: