New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: ReadRequest should reject requests with multiple Host headers #45463
Comments
Does ReadRequest return an error if there are multiple Host headers in the request? |
Thank you for your sample. Given that ReadRequest rejects the request, are you asking for the error to be changed to perhaps indicate the multiple header values presented? Asked another way, if we changed http.Request to capture multiple Host headers, how would that change the program you are trying to write? |
@davecheney - it does not return an error when there are multiple The issue is it does not return an error nor reflect in the |
To answer your latter question, I want to be able to use the API to parse an incoming byte stream and return an error if it has multiple |
@borncrusader thank you for your reply. Given this is a violation of the RFC, maybe the best resolution of this issue is to make ReadRequest reject such requests. |
Thanks @davecheney for your prompt reply! |
Looks like #45513 addresses this as well. I believe this will be considered for 1.16.4. Please correct me if I'm wrong, @davecheney |
1.17 returns an error, |
I'll close this issue because it is a duplicate of issue #45513. Let's continue the conversation there. (Please let me know if I misunderstood or missed something.) |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
http.ReadRequest
doesn't account for potentially multipleHost
headers in the request. This is a snippet of the code to reproduce this issue - https://play.golang.org/p/vZ71i09DAHbAccording to the HTTP Spec (https://tools.ietf.org/html/rfc7230#section-5.4),
However, this is appropriately handled in https://github.com/golang/go/blob/master/src/net/http/server.go#L1007. But clients attempting to parse an HTTP request using
http.ReadRequest
have no means to detect the presence of multipleHost
headers since theHost
header is promoted tohttp.Request.Host
and is not part of thehttp.Request.Header
map.What did you expect to see?
Expect to have a means by which one can detect the presence of multiple
Host
headers in the HTTP request when usinghttp.ReadRequest
.What did you see instead?
The
http.Request
returned by the method does not have any indication to the presence of multipleHost
headers. It also returns anil
error.The text was updated successfully, but these errors were encountered: