net/http: don't accept invalid bytes in server request headers

Fixes #11207 Change-Id: I7f00b638e749fbc7907dc1597347ea426367d13e Reviewed-on: https://go-review.googlesource.com/17980 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
author: Brad Fitzpatrick <bradfitz@golang.org> 2015-12-17 19:25:51 +0000
committer: Brad Fitzpatrick <bradfitz@golang.org> 2015-12-17 20:22:08 +0000
commit: c052222b3467ca031b267f25f3dcc4b871485793 (patch)
tree: dd68e9f3d5d1dade76bbf90c6ab19e3d446aca6d /src/net/http/request.go
parent: 18227bb7b6ce14c2736543777f1d5cebeff11abd (diff)
download: go-c052222b3467ca031b267f25f3dcc4b871485793.tar.xz
1 files changed, 21 insertions, 0 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go
index d706d8e1b6..d1793c75d7 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -1121,3 +1121,24 @@ var validHostByte = [256]bool{
 	'_':  true, // unreserved
 	'~':  true, // unreserved
 }
+
+func validHeaderName(v string) bool {
+	if len(v) == 0 {
+		return false
+	}
+	return strings.IndexFunc(v, isNotToken) == -1
+}
+
+func validHeaderValue(v string) bool {
+	for i := 0; i < len(v); i++ {
+		b := v[i]
+		if b == '\t' {
+			continue
+		}
+		if ' ' <= b && b <= '~' {
+			continue
+		}
+		return false
+	}
+	return true
+}
author	Brad Fitzpatrick <bradfitz@golang.org>	2015-12-17 19:25:51 +0000
committer	Brad Fitzpatrick <bradfitz@golang.org>	2015-12-17 20:22:08 +0000
commit	c052222b3467ca031b267f25f3dcc4b871485793 (patch)
tree	dd68e9f3d5d1dade76bbf90c6ab19e3d446aca6d /src/net/http/request.go
parent	18227bb7b6ce14c2736543777f1d5cebeff11abd (diff)
download	go-c052222b3467ca031b267f25f3dcc4b871485793.tar.xz