Closed
Description
net/http successfully parses invalid characters in http header values.
For examples, in the following program header value is not preserved after Write/Parse. But in general header values must contain only visible character (0x21-0x7f) + space and tab.
package main
import (
"bufio"
"bytes"
"net/http"
"fmt"
)
func main() {
data := []byte("GET / HTTP/1.1\nh:0\r0\n\n")
r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
if err != nil {
panic(err)
}
buf := new(bytes.Buffer)
if err := r.WriteProxy(buf); err != nil {
panic(err)
}
fmt.Printf("%q\n", buf.Bytes())
r1, err := http.ReadRequest(bufio.NewReader(buf))
if err != nil {
panic(err)
}
if r.Header.Get("h") != r1.Header.Get("h") {
fmt.Printf("h0: %q\n", r.Header.Get("h"))
fmt.Printf("h1: %q\n", r1.Header.Get("h"))
panic("header changed")
}
}"GET / HTTP/1.1\r\nHost: \r\nUser-Agent: Go 1.1 package http\r\nH: 0 0\r\n\r\n"
h0: "0\r0"
h1: "0 0"
go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64