Skip to content

net/http: allows invalid characters in header values #11207

Closed
@dvyukov

Description

@dvyukov

net/http successfully parses invalid characters in http header values.
For examples, in the following program header value is not preserved after Write/Parse. But in general header values must contain only visible character (0x21-0x7f) + space and tab.

package main

import (
    "bufio"
    "bytes"
    "net/http"
    "fmt"
)

func main() {
    data := []byte("GET / HTTP/1.1\nh:0\r0\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    buf := new(bytes.Buffer)
    if err := r.WriteProxy(buf); err != nil {
        panic(err)
    }
    fmt.Printf("%q\n", buf.Bytes())
    r1, err := http.ReadRequest(bufio.NewReader(buf))
    if err != nil {
        panic(err)
    }
    if r.Header.Get("h") != r1.Header.Get("h") {
        fmt.Printf("h0: %q\n", r.Header.Get("h"))
        fmt.Printf("h1: %q\n", r1.Header.Get("h"))
        panic("header changed")
    }
}
"GET / HTTP/1.1\r\nHost: \r\nUser-Agent: Go 1.1 package http\r\nH: 0 0\r\n\r\n"
h0: "0\r0"
h1: "0 0"

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions