diff options
| author | Michael Fraenkel <michael.fraenkel@gmail.com> | 2016-12-15 09:58:30 -0500 |
|---|---|---|
| committer | Brad Fitzpatrick <bradfitz@golang.org> | 2017-02-01 22:19:00 +0000 |
| commit | bb41b4d599f5758e25091666e123c41b401ac890 (patch) | |
| tree | 07bf2405fd1f216bf701c7c72dfc82808bcb32c0 /src | |
| parent | 90de5e817c257ffea8dbba12a9f012e22b8c0c7c (diff) | |
| download | go-bb41b4d599f5758e25091666e123c41b401ac890.tar.xz | |
net/http: make Server validate HTTP method
Fixes #18319
Change-Id: If88e60a86828f60d8d93fc291932c19bab19e8dc
Reviewed-on: https://go-review.googlesource.com/34470
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/net/http/request.go | 3 | ||||
| -rw-r--r-- | src/net/http/serve_test.go | 27 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go index fb6bb0aab5..168c03e86c 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -930,6 +930,9 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro if !ok { return nil, &badStringError{"malformed HTTP request", s} } + if !validMethod(req.Method) { + return nil, &badStringError{"invalid method", req.Method} + } rawurl := req.RequestURI if req.ProtoMajor, req.ProtoMinor, ok = ParseHTTPVersion(req.Proto); !ok { return nil, &badStringError{"malformed HTTP version", req.Proto} diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go index 73dd56e8c4..1358ce8c4a 100644 --- a/src/net/http/serve_test.go +++ b/src/net/http/serve_test.go @@ -5312,3 +5312,30 @@ func TestServerHijackGetsBackgroundByte_big(t *testing.T) { t.Error("timeout") } } + +// Issue 18319: test that the Server validates the request method. +func TestServerValidatesMethod(t *testing.T) { + tests := []struct { + method string + want int + }{ + {"GET", 200}, + {"GE(T", 400}, + } + for _, tt := range tests { + conn := &testConn{closec: make(chan bool, 1)} + io.WriteString(&conn.readBuf, tt.method+" / HTTP/1.1\r\nHost: foo.example\r\n\r\n") + + ln := &oneConnListener{conn} + go Serve(ln, serve(200)) + <-conn.closec + res, err := ReadResponse(bufio.NewReader(&conn.writeBuf), nil) + if err != nil { + t.Errorf("For %s, ReadResponse: %v", tt.method, res) + continue + } + if res.StatusCode != tt.want { + t.Errorf("For %s, Status = %d; want %d", tt.method, res.StatusCode, tt.want) + } + } +} |