From bb41b4d599f5758e25091666e123c41b401ac890 Mon Sep 17 00:00:00 2001
From: Michael Fraenkel <michael.fraenkel@gmail.com>
Date: Thu, 15 Dec 2016 09:58:30 -0500
Subject: net/http: make Server validate HTTP method

Fixes #18319

Change-Id: If88e60a86828f60d8d93fc291932c19bab19e8dc
Reviewed-on: https://go-review.googlesource.com/34470
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/net/http/request.go | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/net/http/request.go')

diff --git a/src/net/http/request.go b/src/net/http/request.go
index fb6bb0aab5..168c03e86c 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -930,6 +930,9 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro
 	if !ok {
 		return nil, &badStringError{"malformed HTTP request", s}
 	}
+	if !validMethod(req.Method) {
+		return nil, &badStringError{"invalid method", req.Method}
+	}
 	rawurl := req.RequestURI
 	if req.ProtoMajor, req.ProtoMinor, ok = ParseHTTPVersion(req.Proto); !ok {
 		return nil, &badStringError{"malformed HTTP version", req.Proto}
-- 
cgit v1.3-6-g1900