From: Michael Fraenkel <michael.fraenkel@gmail.com>
Date: Thu, 15 Dec 2016 14:58:30 +0000 (-0500)
Subject: net/http: make Server validate HTTP method
X-Git-Tag: go1.9beta1~1802
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=bb41b4d599f5758e25091666e123c41b401ac890;p=gostls13.git

net/http: make Server validate HTTP method

Fixes #18319

Change-Id: If88e60a86828f60d8d93fc291932c19bab19e8dc
Reviewed-on: https://go-review.googlesource.com/34470
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---

diff --git a/src/net/http/request.go b/src/net/http/request.go
index fb6bb0aab5..168c03e86c 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -930,6 +930,9 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro
 	if !ok {
 		return nil, &badStringError{"malformed HTTP request", s}
 	}
+	if !validMethod(req.Method) {
+		return nil, &badStringError{"invalid method", req.Method}
+	}
 	rawurl := req.RequestURI
 	if req.ProtoMajor, req.ProtoMinor, ok = ParseHTTPVersion(req.Proto); !ok {
 		return nil, &badStringError{"malformed HTTP version", req.Proto}
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 73dd56e8c4..1358ce8c4a 100644
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -5312,3 +5312,30 @@ func TestServerHijackGetsBackgroundByte_big(t *testing.T) {
 		t.Error("timeout")
 	}
 }
+
+// Issue 18319: test that the Server validates the request method.
+func TestServerValidatesMethod(t *testing.T) {
+	tests := []struct {
+		method string
+		want   int
+	}{
+		{"GET", 200},
+		{"GE(T", 400},
+	}
+	for _, tt := range tests {
+		conn := &testConn{closec: make(chan bool, 1)}
+		io.WriteString(&conn.readBuf, tt.method+" / HTTP/1.1\r\nHost: foo.example\r\n\r\n")
+
+		ln := &oneConnListener{conn}
+		go Serve(ln, serve(200))
+		<-conn.closec
+		res, err := ReadResponse(bufio.NewReader(&conn.writeBuf), nil)
+		if err != nil {
+			t.Errorf("For %s, ReadResponse: %v", tt.method, res)
+			continue
+		}
+		if res.StatusCode != tt.want {
+			t.Errorf("For %s, Status = %d; want %d", tt.method, res.StatusCode, tt.want)
+		}
+	}
+}