Commit 0421e78f authored by Brad Fitzpatrick's avatar Brad Fitzpatrick

net/http: fix too-strict validation of server header values

As Andy Balholm noted in #11207:

"RFC2616 §4.2 says that a header's field-content can consist of *TEXT,
and RFC2616 §2.2 says that TEXT is <any OCTET except CTLs, but
including LWS>, so that would mean that bytes greater than 128 are
allowed."

This is a partial rollback of the strictness from
https://golang.org/cl/11207 (added in the Go 1.6 dev cycle, only
released in Go 1.6beta1)

Fixes #11207

Change-Id: I3a752a7941de100e4803ff16a5d626d5cfec4f03
Reviewed-on: https://go-review.googlesource.com/18374Reviewed-by: default avatarRuss Cox <rsc@golang.org>
Reviewed-by: default avatarAndrew Gerrand <adg@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
parent ee566d53
......@@ -1139,13 +1139,9 @@ func validHeaderName(v string) bool {
func validHeaderValue(v string) bool {
for i := 0; i < len(v); i++ {
b := v[i]
if b == '\t' {
continue
}
if ' ' <= b && b <= '~' {
continue
if b < ' ' && b != '\t' {
return false
}
return false
}
return true
}
......@@ -3798,8 +3798,8 @@ func TestServerValidatesHeaders(t *testing.T) {
{"foo\xffbar: foo\r\n", 400}, // binary in header
{"foo\x00bar: foo\r\n", 400}, // binary in header
{"foo: foo\x00foo\r\n", 400}, // binary in value
{"foo: foo\xfffoo\r\n", 400}, // binary in value
{"foo: foo\x00foo\r\n", 400}, // CTL in value is bad
{"foo: foo\xfffoo\r\n", 200}, // non-ASCII high octets in value are fine
}
for _, tt := range tests {
conn := &testConn{closec: make(chan bool)}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment