]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 90de5e8)
net/http: make Server validate HTTP method
authorMichael Fraenkel <michael.fraenkel@gmail.com>
Thu, 15 Dec 2016 14:58:30 +0000 (09:58 -0500)
committerBrad Fitzpatrick <bradfitz@golang.org>
Wed, 1 Feb 2017 22:19:00 +0000 (22:19 +0000)
Fixes #18319

Change-Id: If88e60a86828f60d8d93fc291932c19bab19e8dc
Reviewed-on: https://go-review.googlesource.com/34470
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

src/net/http/request.go patch | blob | history
src/net/http/serve_test.go patch | blob | history

diff --git a/src/net/http/request.go b/src/net/http/request.go
index fb6bb0aab5873a4c6148ff6a22c428d1b9e04439..168c03e86c3786559b642043bbdd7623919bda37 100644 (file)
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -930,6 +930,9 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro
        if !ok {
                return nil, &badStringError{"malformed HTTP request", s}
        }
+       if !validMethod(req.Method) {
+               return nil, &badStringError{"invalid method", req.Method}
+       }
        rawurl := req.RequestURI
        if req.ProtoMajor, req.ProtoMinor, ok = ParseHTTPVersion(req.Proto); !ok {
                return nil, &badStringError{"malformed HTTP version", req.Proto}
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 73dd56e8c426562c966aaf56954a06b4655e9517..1358ce8c4a79d3587641aeb2e5704c51f6cafbdf 100644 (file)
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -5312,3 +5312,30 @@ func TestServerHijackGetsBackgroundByte_big(t *testing.T) {
                t.Error("timeout")
        }
 }
+
+// Issue 18319: test that the Server validates the request method.
+func TestServerValidatesMethod(t *testing.T) {
+       tests := []struct {
+               method string
+               want   int
+       }{
+               {"GET", 200},
+               {"GE(T", 400},
+       }
+       for _, tt := range tests {
+               conn := &testConn{closec: make(chan bool, 1)}
+               io.WriteString(&conn.readBuf, tt.method+" / HTTP/1.1\r\nHost: foo.example\r\n\r\n")
+
+               ln := &oneConnListener{conn}
+               go Serve(ln, serve(200))
+               <-conn.closec
+               res, err := ReadResponse(bufio.NewReader(&conn.writeBuf), nil)
+               if err != nil {
+                       t.Errorf("For %s, ReadResponse: %v", tt.method, res)
+                       continue
+               }
+               if res.StatusCode != tt.want {
+                       t.Errorf("For %s, Status = %d; want %d", tt.method, res.StatusCode, tt.want)
+               }
+       }
+}
Go GOST TLS 1.3