net/http: reject non three digit status codes in ReadResponse

author Emmanuel Odeke <emm.odeke@gmail.com>

Mon, 11 Jan 2016 06:20:06 +0000 (23:20 -0700)

committer Brad Fitzpatrick <bradfitz@golang.org>

Wed, 13 Jan 2016 17:38:50 +0000 (17:38 +0000)
author Emmanuel Odeke <emm.odeke@gmail.com>
Mon, 11 Jan 2016 06:20:06 +0000 (23:20 -0700)
committer Brad Fitzpatrick <bradfitz@golang.org>
Wed, 13 Jan 2016 17:38:50 +0000 (17:38 +0000)
diff --git a/src/net/http/response.go b/src/net/http/response.go

index 57ae364f57bbeded8c424b651b9edf15489b1904..c424f61cd00e19ba8d6e7b98aa806302eb8af050 100644 (file)
--- a/src/net/http/response.go
+++ b/src/net/http/response.go
@@ -150,12 +150,14 @@ func ReadResponse(r *bufio.Reader, req *Request) (*Response, error) {
         if len(f) > 2 {
                 reasonPhrase = f[2]
         }
-       resp.Status = f[1] + " " + reasonPhrase
+       if len(f[1]) != 3 {
+               return nil, &badStringError{"malformed HTTP status code", f[1]}
+       }
         resp.StatusCode, err = strconv.Atoi(f[1])
-       if err != nil {
+       if err != nil || resp.StatusCode < 0 {
                 return nil, &badStringError{"malformed HTTP status code", f[1]}
         }
-
+       resp.Status = f[1] + " " + reasonPhrase
         resp.Proto = f[0]
         var ok bool
         if resp.ProtoMajor, resp.ProtoMinor, ok = ParseHTTPVersion(resp.Proto); !ok {
diff --git a/src/net/http/response_test.go b/src/net/http/response_test.go

index abd90595226a5e3fd68e2697256d22c6ea019ddf..b4bf09aa9bdd537683889f14c5eb37f8dc10b2c6 100644 (file)
--- a/src/net/http/response_test.go
+++ b/src/net/http/response_test.go
@@ -798,7 +798,16 @@ func TestReadResponseErrors(t *testing.T) {
                 status("c8 OK", true),
                 status("0x12d Moved Permanently", true),
                 status("200 OK", nil),
-               status("20 OK", nil), // TODO: wrong. we should reject non-three digit
+               status("000 OK", nil),
+               status("001 OK", nil),
+               status("404 NOTFOUND", nil),
+               status("20 OK", true),
+               status("00 OK", true),
+               status("-10 OK", true),
+               status("1000 OK", true),
+               status("999 Done", nil),
+               status("-1 OK", true),
+               status("-200 OK", true),
                 version("HTTP/1.2", nil),
                 version("HTTP/2.0", nil),
                 version("HTTP/1.100000000002", true),
author	Emmanuel Odeke <emm.odeke@gmail.com>
	Mon, 11 Jan 2016 06:20:06 +0000 (23:20 -0700)
committer	Brad Fitzpatrick <bradfitz@golang.org>
	Wed, 13 Jan 2016 17:38:50 +0000 (17:38 +0000)
src/net/http/response.go		patch \| blob \| history
src/net/http/response_test.go		patch \| blob \| history