net/http: bad handling of HEAD requests with a body #53960
Comments
|
Change https://go.dev/cl/418614 mentions this issue: |
|
Change https://go.dev/cl/418634 mentions this issue: |
|
@neild What can be gained in supporting such requests? I would suggest to continue dropping the body and fix case 2 (trying to parse it as a next request) . Supporting undefined behaviour seems like a road to incompatibilities. Are you aware of a use case that relies on that is undefined behaviour or some IETF draft requiring this to work, so that the undefined behaviour becomes standardized soon? |
|
There's no undefined behavior here. The semantics of HEAD requests with a body are undefined--there's no RFC that I know of that defines what that body means--but the mechanics of sending such a request are well-defined. HEAD responses are defined as having no body, but HEAD requests may have one. The argument I see against supporting HEAD requests with a body is that nobody sends these in practice, so receiving one probably indicates a mistake or malicious behavior of some kind. The argument for supporting them is that they're valid requests, and that it's more work to reject them than it is to just handle them. The actual state of support for HEAD-with-a-body in |
seankhliao
added
the
NeedsFix
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Test is in net/http CL 418614. For golang/go#53960. Change-Id: I946d3ec796054c3908beb8a69cc78aa51c04c972 Reviewed-on: https://go-review.googlesource.com/c/net/+/418634 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
|
Change https://go.dev/cl/432197 mentions this issue: |
Pull in HTTP/2 fix needed for net/http test case. f8f703f979 http2: accept HEAD requests with a body For #53960 Change-Id: I59bbd83977daced5ed21ec5345af8cdb607e532e Reviewed-on: https://go-review.googlesource.com/c/go/+/432197 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Fix a bug where a HEAD request with a chunked body would interpret the body as the headers for the next request on the connection. For #53960. Change-Id: I83f7112fdedabd6d6291cd956151d718ee6942cd Reviewed-on: https://go-review.googlesource.com/c/go/+/418614 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
|
@gopherbot please consider this for backport to 1.19, it's a serious problems with no workaround. |
|
Backport issue(s) opened: #56154 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/450515 mentions this issue: |
For #41773 For #41773 For #50465 For #51914 For #53002 For #53896 For #53960 For #54136 For #54299 Change-Id: I729d5eafc1940d5706f980882a08ece1f69bb42c Reviewed-on: https://go-review.googlesource.com/c/go/+/450515 Auto-Submit: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com>
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Test is in net/http CL 418614. For golang/go#53960. Change-Id: I946d3ec796054c3908beb8a69cc78aa51c04c972 Reviewed-on: https://go-review.googlesource.com/c/net/+/418634 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
|
Change https://go.dev/cl/457275 mentions this issue: |
|
Change https://go.dev/cl/457438 mentions this issue: |
|
Change https://go.dev/cl/457416 mentions this issue: |
|
Change https://go.dev/cl/457357 mentions this issue: |
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Test is in net/http CL 418614. For golang/go#53960. For golang/go#56323. Change-Id: I946d3ec796054c3908beb8a69cc78aa51c04c972 Reviewed-on: https://go-review.googlesource.com/c/net/+/418634 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> (cherry picked from commit f8f703f) Reviewed-on: https://go-review.googlesource.com/c/net/+/457416 Reviewed-by: Than McIntosh <thanm@google.com>
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Test is in net/http CL 418614. For golang/go#53960. For golang/go#56154. Change-Id: I946d3ec796054c3908beb8a69cc78aa51c04c972 Reviewed-on: https://go-review.googlesource.com/c/net/+/418634 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> (cherry picked from commit f8f703f) Reviewed-on: https://go-review.googlesource.com/c/net/+/457357 Reviewed-by: Than McIntosh <thanm@google.com>
|
Change https://go.dev/cl/457596 mentions this issue: |
|
Change https://go.dev/cl/457556 mentions this issue: |
…214163817-183621ab9c4e Update x/net to include the fix for #53960. For #53960 For #56154 Change-Id: Ib3e0d66e4125601e20f1b2e3040f29e7ebd4b080 Reviewed-on: https://go-review.googlesource.com/c/go/+/457556 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com>
…214163811-6143a133e5c9 Update x/net to include the fix for #53960. For #53960 For #56323 Change-Id: I825212ecdf7bf2f52c2fda1faf1739b593063653 Reviewed-on: https://go-review.googlesource.com/c/go/+/457596 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Damien Neil <dneil@google.com>
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Fix a bug where a HEAD request with a chunked body would interpret the body as the headers for the next request on the connection. For #53960. For #56154. Change-Id: I83f7112fdedabd6d6291cd956151d718ee6942cd Reviewed-on: https://go-review.googlesource.com/c/go/+/418614 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/457438 Reviewed-by: Than McIntosh <thanm@google.com>
HEAD requests may have a body, although RFC 7231 states that "some existing implementations" may reject a HEAD request which contains one.
The
net/httppackage handles HEAD requests with a body in different ways:Content-Encoding: chunked: ignore the chunked body (trying to parse it as the next request on the connection). Clearly buggy. Not a request smuggling mechanism, since the chunked body data can never be a valid HTTP request.We should either support HEAD requests with a body in all circumstances, or fix the HTTP/1 chunked case and add a test for the HTTP/1 identity case. I think support, but I could be argued into always-reject on the grounds that nobody ever actually sends a body in a HEAD request.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this issue.
The text was updated successfully, but these errors were encountered: