net/http: allows invalid characters in header values

[dvyukov]

net/http successfully parses invalid characters in http header values.
For examples, in the following program header value is not preserved after Write/Parse. But in general header values must contain only visible character (0x21-0x7f) + space and tab.

package main

import (
    "bufio"
    "bytes"
    "net/http"
    "fmt"
)

func main() {
    data := []byte("GET / HTTP/1.1\nh:0\r0\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    buf := new(bytes.Buffer)
    if err := r.WriteProxy(buf); err != nil {
        panic(err)
    }
    fmt.Printf("%q\n", buf.Bytes())
    r1, err := http.ReadRequest(bufio.NewReader(buf))
    if err != nil {
        panic(err)
    }
    if r.Header.Get("h") != r1.Header.Get("h") {
        fmt.Printf("h0: %q\n", r.Header.Get("h"))
        fmt.Printf("h1: %q\n", r1.Header.Get("h"))
        panic("header changed")
    }
}

"GET / HTTP/1.1\r\nHost: \r\nUser-Agent: Go 1.1 package http\r\nH: 0 0\r\n\r\n"
h0: "0\r0"
h1: "0 0"

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

[rsc]

Didn't I see a CL for this today?

[bradfitz]

That was specifically for Host headers. This is all headers. Very similar. I'll do this one today.

[gopherbot]

CL https://golang.org/cl/17980 mentions this issue.

[andybalholm]

I think this is too strict. RFC2616 §4.2 says that a header's field-content can consist of *TEXT, and RFC2616 §2.2 says that TEXT is <any OCTET except CTLs, but including LWS>, so that would mean that bytes greater than 128 are allowed.

[bradfitz]

@andybalholm, thanks.

[gopherbot]

CL https://golang.org/cl/18374 mentions this issue.

[gopherbot]

CL https://golang.org/cl/18375 mentions this issue.