-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: bad handling of HEAD requests with a body [1.19 backport] #56154
Comments
We have a Go service that results in user-facing 503s when it gets a |
I don't have a strong opinion on whether this should be backported. The impact is that we treat a HEAD request with a body as a protocol error. HEAD requests with a body are uncommon enough that (AFAIK) the first report of the problem was found via fuzzing. This is not a security issue. It has no workaround, however, so the question for whether it meets the backport criteria turns on whether it's serious or not. |
See also #56323. |
Ping for updates here to make sure this approved cherry-pick is moves along. It's been approved for about 20 days now. |
another ping here -- @dr2chase is this something you can help with? |
Sorry for late reply, net/http is not my area and there's a high risk I'd make a mistake. I did the paperwork for the backport because I was on release-rotation that week. @neild (who assigned himself to the bug 3 days ago) is the right person. |
Change https://go.dev/cl/457438 mentions this issue: |
Change https://go.dev/cl/457357 mentions this issue: |
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Test is in net/http CL 418614. For golang/go#53960. For golang/go#56154. Change-Id: I946d3ec796054c3908beb8a69cc78aa51c04c972 Reviewed-on: https://go-review.googlesource.com/c/net/+/418634 Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> Reviewed-by: Cherry Mui <[email protected]> (cherry picked from commit f8f703f) Reviewed-on: https://go-review.googlesource.com/c/net/+/457357 Reviewed-by: Than McIntosh <[email protected]>
Change https://go.dev/cl/457556 mentions this issue: |
Closed by merging 7540675 to release-branch.go1.19. |
…214163817-183621ab9c4e Update x/net to include the fix for #53960. For #53960 For #56154 Change-Id: Ib3e0d66e4125601e20f1b2e3040f29e7ebd4b080 Reviewed-on: https://go-review.googlesource.com/c/go/+/457556 Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Than McIntosh <[email protected]>
The backport for the HTTP/1 fix was never merged, thanks to none of us noticing that Gopherbot had prematurely closed this issue (#29599). The HTTP/2 fix was merged, however. Reopening to merge the HTTP/1 fix (https://go.dev/cl/457438) for 1.19.6. |
RFC 7231 permits HEAD requests to contain a body, although it does state there are no defined semantics for payloads of HEAD requests and that some servers may reject HEAD requests with a payload. Accept HEAD requests with a body. Fix a bug where a HEAD request with a chunked body would interpret the body as the headers for the next request on the connection. For #53960. For #56154. Change-Id: I83f7112fdedabd6d6291cd956151d718ee6942cd Reviewed-on: https://go-review.googlesource.com/c/go/+/418614 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/457438 Reviewed-by: Than McIntosh <[email protected]>
CL 457438 was merged, but lacked a "Fixes" line (I think it was just a typo). Closing. |
@bobby-stripe requested issue #53960 to be considered for backport to the next 1.19 minor release.
The text was updated successfully, but these errors were encountered: