net/http/httputil: NewChunkedReader reports incomplete uploads as complete #48861
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
What version of Go are you using (
go version
)?Issue presents in current Go Playground, at time of writing the About page describes it as version 1.17.2.
Issue appears present in the latest Go source code, and this line hasn't been changed for ~8 years according to Git Annotate.
Does this issue reproduce with the latest release?
Yes (based on using the Go Playground).
What operating system and processor architecture are you using (
go env
)?go env
OutputThe Go Playground environment.
What did you do?
Here is a test suite in the Go Playground that demonstrates the issue, with some surrounding boundary cases to show what currently does and does not work.
I believe the issue is this line of code.
Whilst the
readChunkLine
(link) method takes care to mapio.EOF
to anio.ErrUnexpectedEOF
, it seems that the code that reads the actual "chunk" itself does not actually check forio.EOF
and report it as an error.What did you expect to see?
As demonstrated in the Go Playground link, I believe that an
io.EOF
from the underlying reader should, at any point, be mapped toio.ErrUnexpectedEOF
unless it successfully received the 0-length chunk that indicates the end of the stream.What did you see instead?
Whilst the current implementation does handle
io.EOF
correctly during a chunk header line, it erroneously returnsio.EOF
(notio.ErrUnexpectedEOF
) when anio.EOF
is encountered part-way through a chunk.The importance of this bug is that this makes it dangerously ambiguous whether the upload was interrupted, or whether the upload completed successfully. Anyone reading from the chunked decoder will see a normal
io.EOF
on cancellation, think that the full body was received, and continue processing - unaware that they have a partial upload.The text was updated successfully, but these errors were encountered: