From 0421e78f0556f98d782cdcbad6eaa2612603acf9 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Fri, 8 Jan 2016 01:06:00 +0000 Subject: [PATCH] net/http: fix too-strict validation of server header values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As Andy Balholm noted in #11207: "RFC2616 §4.2 says that a header's field-content can consist of *TEXT, and RFC2616 §2.2 says that TEXT is , so that would mean that bytes greater than 128 are allowed." This is a partial rollback of the strictness from https://golang.org/cl/11207 (added in the Go 1.6 dev cycle, only released in Go 1.6beta1) Fixes #11207 Change-Id: I3a752a7941de100e4803ff16a5d626d5cfec4f03 Reviewed-on: https://go-review.googlesource.com/18374 Reviewed-by: Russ Cox Reviewed-by: Andrew Gerrand Run-TryBot: Brad Fitzpatrick --- src/net/http/request.go | 8 ++------ src/net/http/serve_test.go | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/src/net/http/request.go b/src/net/http/request.go index 28f05174c04715..1a6a97d4d7f235 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -1139,13 +1139,9 @@ func validHeaderName(v string) bool { func validHeaderValue(v string) bool { for i := 0; i < len(v); i++ { b := v[i] - if b == '\t' { - continue - } - if ' ' <= b && b <= '~' { - continue + if b < ' ' && b != '\t' { + return false } - return false } return true } diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go index 34e2a4d6700808..be175f8420b5f1 100644 --- a/src/net/http/serve_test.go +++ b/src/net/http/serve_test.go @@ -3798,8 +3798,8 @@ func TestServerValidatesHeaders(t *testing.T) { {"foo\xffbar: foo\r\n", 400}, // binary in header {"foo\x00bar: foo\r\n", 400}, // binary in header - {"foo: foo\x00foo\r\n", 400}, // binary in value - {"foo: foo\xfffoo\r\n", 400}, // binary in value + {"foo: foo\x00foo\r\n", 400}, // CTL in value is bad + {"foo: foo\xfffoo\r\n", 200}, // non-ASCII high octets in value are fine } for _, tt := range tests { conn := &testConn{closec: make(chan bool)}