net/http: bad handling of HEAD requests with a body [1.19 backport] #56154
Comments
gopherbot
added
the
CherryPickCandidate
|
We have a Go service that results in user-facing 503s when it gets a |
|
I don't have a strong opinion on whether this should be backported. The impact is that we treat a HEAD request with a body as a protocol error. HEAD requests with a body are uncommon enough that (AFAIK) the first report of the problem was found via fuzzing. This is not a security issue. It has no workaround, however, so the question for whether it meets the backport criteria turns on whether it's serious or not. |
dr2chase
added
the
CherryPickApproved
gopherbot
removed
the
CherryPickCandidate
|
See also #56323. |
|
Ping for updates here to make sure this approved cherry-pick is moves along. It's been approved for about 20 days now. |
|
another ping here -- @dr2chase is this something you can help with? |
|
Sorry for late reply, net/http is not my area and there's a high risk I'd make a mistake. I did the paperwork for the backport because I was on release-rotation that week. @neild (who assigned himself to the bug 3 days ago) is the right person. |
|
Change https://go.dev/cl/457438 mentions this issue: |
|
Change https://go.dev/cl/457357 mentions this issue: |
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Test is in net/http CL 418614. For golang/go#53960. For golang/go#56154. Change-Id: I946d3ec796054c3908beb8a69cc78aa51c04c972 Reviewed-on: https://go-review.googlesource.com/c/net/+/418634 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> (cherry picked from commit f8f703f) Reviewed-on: https://go-review.googlesource.com/c/net/+/457357 Reviewed-by: Than McIntosh <thanm@google.com>
|
Change https://go.dev/cl/457556 mentions this issue: |
|
Closed by merging 7540675 to release-branch.go1.19. |
…214163817-183621ab9c4e Update x/net to include the fix for #53960. For #53960 For #56154 Change-Id: Ib3e0d66e4125601e20f1b2e3040f29e7ebd4b080 Reviewed-on: https://go-review.googlesource.com/c/go/+/457556 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com>
|
The backport for the HTTP/1 fix was never merged, thanks to none of us noticing that Gopherbot had prematurely closed this issue (#29599). The HTTP/2 fix was merged, however. Reopening to merge the HTTP/1 fix (https://go.dev/cl/457438) for 1.19.6. |
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Fix a bug where a HEAD request with a chunked body would interpret the body as the headers for the next request on the connection. For #53960. For #56154. Change-Id: I83f7112fdedabd6d6291cd956151d718ee6942cd Reviewed-on: https://go-review.googlesource.com/c/go/+/418614 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/457438 Reviewed-by: Than McIntosh <thanm@google.com>
|
CL 457438 was merged, but lacked a "Fixes" line (I think it was just a typo). Closing. |
@bobby-stripe requested issue #53960 to be considered for backport to the next 1.19 minor release.
The text was updated successfully, but these errors were encountered: