Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: panic if path value is an asterisk #67067

Closed
ythosa opened this issue Apr 26, 2024 · 3 comments
Closed

net/http: panic if path value is an asterisk #67067

ythosa opened this issue Apr 26, 2024 · 3 comments
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.23

Comments

@ythosa
Copy link

ythosa commented Apr 26, 2024
edited

Go version

go version go1.22.2 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/rbabin/Library/Caches/go-build'
GOENV='/Users/rbabin/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/rbabin/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/rbabin/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,https://goproxy.s.o3.ru'
GOROOT='/opt/homebrew/opt/go/libexec'
GOSUMDB='off'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/opt/go/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.2'
GCCGO='gccgo'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/fw/18w77_ld3zl9m3nx2mx6r8500000gn/T/go-build3980141414=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

I've wrote simple server and simple curl

curl -X GET "localhost:6006/files/*"
package main

import (
	"log"
	"net/http"
)

func fileHandler(w http.ResponseWriter, r *http.Request) {
	if r.PathValue("file") == "" {
		http.Error(w, "File not found", http.StatusNotFound)
		return
	}
}

func main() {
	http.HandleFunc("GET /files/{file...}", fileHandler)
	log.Printf("Listening on :6006\n")
	log.Fatal(http.ListenAndServe(":6006", nil))
}

What did you see happen?

2024/04/26 18:04:16 http: panic serving [::1]:58303: runtime error: index out of range [0] with length 0
goroutine 35 [running]:
net/http.(*conn).serve.func1()
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:1898 +0xb0
panic({0x102ed69c0?, 0x140001300f0?})
        /opt/homebrew/opt/go/libexec/src/runtime/panic.go:770 +0x124
net/http.(*Request).PathValue(...)
        /opt/homebrew/opt/go/libexec/src/net/http/request.go:1443
main.(*FileHandler).Serve(0xe8?, {0x102ef2d90?, 0x140001640e0?}, 0x10315ca68?)
        /Users/rbabin/Downloads/web-disk/simple/simple.go:13 +0xe8
net/http.HandlerFunc.ServeHTTP(0x1030770a0?, {0x102ef2d90?, 0x140001640e0?}, 0x102df68b8?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2166 +0x38
net/http.(*ServeMux).ServeHTTP(0x0?, {0x102ef2d90, 0x140001640e0}, 0x1400014e360)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2683 +0x1a4
net/http.serverHandler.ServeHTTP({0x14000120c90?}, {0x102ef2d90?, 0x140001640e0?}, 0x6?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x1400017a000, {0x102ef31f8, 0x14000120ba0})
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3285 +0x3f0
2024/04/26 18:04:17 http: panic serving [::1]:58309: runtime error: index out of range [0] with length 0
goroutine 37 [running]:
net/http.(*conn).serve.func1()
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:1898 +0xb0
panic({0x102ed69c0?, 0x14000130150?})
        /opt/homebrew/opt/go/libexec/src/runtime/panic.go:770 +0x124
net/http.(*Request).PathValue(...)
        /opt/homebrew/opt/go/libexec/src/net/http/request.go:1443
main.(*FileHandler).Serve(0xe8?, {0x102ef2d90?, 0x140001641c0?}, 0x10315ca68?)
        /Users/rbabin/Downloads/web-disk/simple/simple.go:13 +0xe8
net/http.HandlerFunc.ServeHTTP(0x1030770a0?, {0x102ef2d90?, 0x140001641c0?}, 0x102df68b8?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2166 +0x38
net/http.(*ServeMux).ServeHTTP(0x0?, {0x102ef2d90, 0x140001641c0}, 0x1400014e6c0)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2683 +0x1a4
net/http.serverHandler.ServeHTTP({0x14000120e40?}, {0x102ef2d90?, 0x140001641c0?}, 0x6?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x1400017a1b0, {0x102ef31f8, 0x14000120ba0})
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3285 +0x3f0
2024/04/26 18:05:03 http: panic serving [::1]:58546: runtime error: index out of range [0] with length 0
goroutine 50 [running]:
net/http.(*conn).serve.func1()
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:1898 +0xb0
panic({0x102ed69c0?, 0x14000224018?})
        /opt/homebrew/opt/go/libexec/src/runtime/panic.go:770 +0x124
net/http.(*Request).PathValue(...)
        /opt/homebrew/opt/go/libexec/src/net/http/request.go:1443
main.(*FileHandler).Serve(0xe8?, {0x102ef2d90?, 0x1400022c000?}, 0x10315cf18?)
        /Users/rbabin/Downloads/web-disk/simple/simple.go:13 +0xe8
net/http.HandlerFunc.ServeHTTP(0x1030770a0?, {0x102ef2d90?, 0x1400022c000?}, 0x102df68b8?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2166 +0x38
net/http.(*ServeMux).ServeHTTP(0x0?, {0x102ef2d90, 0x1400022c000}, 0x14000222000)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2683 +0x1a4
net/http.serverHandler.ServeHTTP({0x14000204090?}, {0x102ef2d90?, 0x1400022c000?}, 0x6?)
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x14000208000, {0x102ef31f8, 0x14000120ba0})
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /opt/homebrew/opt/go/libexec/src/net/http/server.go:3285 +0x3f0

What did you expect to see?

I'm expecting that my server won't panic if i provide an asterisk to path variable
@ythosa ythosa changed the title net/http/request: panic if path value is an asterisk net/http: panic if path value is an asterisk Apr 26, 2024
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 26, 2024
@seankhliao
Copy link
Member

cc @neild @jba

@gopherbot
Copy link

Change https://go.dev/cl/581977 mentions this issue: net/http: check index-out-of-bounds for Request.matches in PathValue, SetPathValue

@gopherbot
Copy link

Change https://go.dev/cl/582115 mentions this issue: net/http: represent multi wildcards properly

@dmitshur dmitshur added this to the Go1.23 milestone Apr 27, 2024
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. FixPending Issues that have a fix which has not yet been reviewed or submitted. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Apr 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.23
Development

No branches or pull requests
4 participants
@dmitshur @gopherbot @ythosa @seankhliao