Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: allows invalid characters in header values #11207

Closed
dvyukov opened this issue Jun 13, 2015 · 7 comments
Closed

net/http: allows invalid characters in header values #11207

dvyukov opened this issue Jun 13, 2015 · 7 comments
Labels
FrozenDueToAge
Milestone
Go1.6

Comments

@dvyukov
Copy link
Member

dvyukov commented Jun 13, 2015

net/http successfully parses invalid characters in http header values.
For examples, in the following program header value is not preserved after Write/Parse. But in general header values must contain only visible character (0x21-0x7f) + space and tab.

package main

import (
    "bufio"
    "bytes"
    "net/http"
    "fmt"
)

func main() {
    data := []byte("GET / HTTP/1.1\nh:0\r0\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    buf := new(bytes.Buffer)
    if err := r.WriteProxy(buf); err != nil {
        panic(err)
    }
    fmt.Printf("%q\n", buf.Bytes())
    r1, err := http.ReadRequest(bufio.NewReader(buf))
    if err != nil {
        panic(err)
    }
    if r.Header.Get("h") != r1.Header.Get("h") {
        fmt.Printf("h0: %q\n", r.Header.Get("h"))
        fmt.Printf("h1: %q\n", r1.Header.Get("h"))
        panic("header changed")
    }
}
"GET / HTTP/1.1\r\nHost: \r\nUser-Agent: Go 1.1 package http\r\nH: 0 0\r\n\r\n"
h0: "0\r0"
h1: "0 0"

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64
@ianlancetaylor ianlancetaylor added this to the Go1.6 milestone Jun 14, 2015
@rsc
Copy link
Contributor

rsc commented Dec 17, 2015

Didn't I see a CL for this today?

@bradfitz
Copy link
Contributor

That was specifically for Host headers. This is all headers. Very similar. I'll do this one today.

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/17980 mentions this issue.

@andybalholm
Copy link
Contributor

I think this is too strict. RFC2616 §4.2 says that a header's field-content can consist of *TEXT, and RFC2616 §2.2 says that TEXT is <any OCTET except CTLs, but including LWS>, so that would mean that bytes greater than 128 are allowed.

@bradfitz
Copy link
Contributor

bradfitz commented Jan 8, 2016

@andybalholm, thanks.

@bradfitz bradfitz reopened this Jan 8, 2016
@gopherbot
Copy link
Contributor

CL https://golang.org/cl/18374 mentions this issue.

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/18375 mentions this issue.

bradfitz added a commit that referenced this issue Jan 8, 2016
@bradfitz
net/http: fix validHeaderValue yet again, excluding the DEL CTL byte
39ad0fd 
Third time's a charm.

Thanks to Ralph Corderoy for noticing the DEL omission.

Update #11207

Change-Id: I174fd01eaecceae1eb220f2c9136e12d40fbe943
Reviewed-on: https://go-review.googlesource.com/18375
Reviewed-by: Russ Cox <[email protected]>
Run-TryBot: Brad Fitzpatrick <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
@golang golang locked and limited conversation to collaborators Jan 7, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.6
Development

No branches or pull requests
6 participants
@bradfitz @rsc @andybalholm @dvyukov @ianlancetaylor @gopherbot