New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: allow processing requests without Host header #44388
Comments
I think this should be removed, the language itself should not make this judgment, but should be given to the web framework to achieve. I'd like to hear from the community and would be happy to submit a relevant PR if I can. I have written a behavior for this case in different languages for this purpose: https://github.com/BlackHole1/http-header-host Here is the outline: rfc2822 - 2.2. Header FieldsThere is no mention in this specification of a requirement for the rfc7230 - 5.4 Host
When there is no Resultnodejs / python is normal golang will report an error |
I understand why golang does this, but I personally don't feel that we should make blocking judgments about this at the language level. Like I said above, it should be left to the web framework to implement Just like nodejs and python, only simple assignment operations are done. @neild @bradfitz @seankhliao What do you think? |
cc @ianlancetaylor as possible proposal |
I don't think we should remove this. The spec says these are the rules, and we follow them. If you're dealing with some non-compliant software or using some HTTP-like protocol that's not HTTP, you can write a net.Conn adapter that HTTP-ifies it for |
RFC 7230 is extremely clear:
We aren't going to gratuitously violate the specification here. As @bradfitz says, if you're working with something that speaks almost-but-not-quite HTTP, then you can write an adapter to convert it to actual HTTP. |
I am in the unfortunate position of dealing with an almost-HTTP protocol, where this Host header problem is the only one I can't easily get around with the http library. I was hoping to just be able to disable the Host header check, but it sounds like that won't happen. Do you have an example of what you're describing with a net.Conn implementation which converts the requests to HTTP. It would be nice if I could leave the rest of my normal HTTP server implementation as is. |
I meet the same problem and after check the implement in golang, I doubt the As comment by @BlackHole1 (#44388 (comment)), |
@neild for testing/measurement/security/etc. purposes it would be extremely helpful to see how a server responds exactly when violating RFCs. The alternative of "write your own HTTP protocol handler" means that I have to go about and reimplement everything that go std lib does just to remove one bloody header. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?Not relevant
What did you do?
Run up an HTTP server using
net/http.Server.ListenAndServe()
Send an illegal HTTP/1.1 request (missing
Host
header):I also looked at #35283 as being a possible solution but clearly not as it has been rejected.
What did you expect to see?
Valid response to request.
I am trying to write a server application that will accept these (invalid) requests from client software over which I have no control. Some of the clients in the field no longer have firmware updates available and so no fix can be expected there. I am looking for a means to modify the behaviour of only a small part of the standard http server.
What did you see instead?
Error response generated by
server.go:(c *conn)readRequest()
The text was updated successfully, but these errors were encountered: