net/textproto: reject HTTP requests with empty header keys

According to RFC 7230, empty field names in HTTP header are invalid.
However, there are no specific instructions for developers to deal
with that kind of case in the specification. CL 11242 chose to skip
it and do nothing about it, which now seems like a bad idea because
it has led `net/http` to behave inconsistently with the most widely-used
HTTP implementations: Apache, Nginx, Node with llhttp, H2O, Lighttpd, etc.
in the case of empty header keys.

There is a very small chance that this CL will break a few existing HTTP clients.

Fixes #65244

Change-Id: Ie01e9a6693d27caea4d81d1539345cf42b225535
Reviewed-on: https://go-review.googlesource.com/c/go/+/558095
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 0c76f1bcc4e44d201bc5a7b11f66482255ab2fd2..21858694144ce222ec1d92eec881c2eb27a13613 100644 (file)
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -4799,6 +4799,10 @@ func TestServerValidatesHeaders(t *testing.T) {
                {"Foo : bar\r\n", 400},
                {"Foo\t: bar\r\n", 400},
 
+               // Empty header keys are invalid.
+               // See RFC 7230, Section 3.2.
+               {": empty key\r\n", 400},
+
                {"foo: foo foo\r\n", 200},    // LWS space is okay
                {"foo: foo\tfoo\r\n", 200},   // LWS tab is okay
                {"foo: foo\x00foo\r\n", 400}, // CTL 0x00 in value is bad

diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
index a603564fb8b0676b14fe93e0040bdaa0597b5384..ee7eb0200bf4e5497547981a7b221c6571594ba1 100644 (file)
--- a/src/net/textproto/reader.go
+++ b/src/net/textproto/reader.go
@@ -535,13 +535,6 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
                        }
                }
 
-               // As per RFC 7230 field-name is a token, tokens consist of one or more chars.
-               // We could return a ProtocolError here, but better to be liberal in what we
-               // accept, so if we get an empty key, skip it.
-               if key == "" {
-                       continue
-               }
-
                maxHeaders--
                if maxHeaders < 0 {
                        return nil, errors.New("message too large")
@@ -725,6 +718,10 @@ func validHeaderValueByte(c byte) bool {
 // ReadMIMEHeader accepts header keys containing spaces, but does not
 // canonicalize them.
 func canonicalMIMEHeaderKey(a []byte) (_ string, ok bool) {
+       if len(a) == 0 {
+               return "", false
+       }
+
        // See if a looks like a header key. If not, return it unchanged.
        noCanon := false
        for _, c := range a {

diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
index 696ae406f3860faa82ffd0bc849e7a1345769d5a..c9c0a98ea4452d1d601bcfc46c49a4fc3051bb4d 100644 (file)
--- a/src/net/textproto/reader_test.go
+++ b/src/net/textproto/reader_test.go
@@ -169,8 +169,8 @@ func TestReaderUpcomingHeaderKeys(t *testing.T) {
 func TestReadMIMEHeaderNoKey(t *testing.T) {
        r := reader(": bar\ntest-1: 1\n\n")
        m, err := r.ReadMIMEHeader()
-       want := MIMEHeader{"Test-1": {"1"}}
-       if !reflect.DeepEqual(m, want) || err != nil {
+       want := MIMEHeader{}
+       if !reflect.DeepEqual(m, want) || err == nil {
                t.Fatalf("ReadMIMEHeader: %v, %v; want %v", m, err, want)
        }
 }
@@ -227,6 +227,7 @@ func TestReadMIMEHeaderMalformed(t *testing.T) {
                "Foo\r\n\t: foo\r\n\r\n",
                "Foo-\n\tBar",
                "Foo \tBar: foo\r\n\r\n",
+               ": empty key\r\n\r\n",
        }
        for _, input := range inputs {
                r := reader(input)