aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEmmanuel Odeke <emm.odeke@gmail.com>2016-01-10 23:20:06 -0700
committerBrad Fitzpatrick <bradfitz@golang.org>2016-01-13 17:38:50 +0000
commit46069bed06551337bc8c9b293040d30e41917289 (patch)
tree97b51084709c9bc283e3fb003cec59aac574c056
parent3d01f28e4729b77fa528b349e1eb434c169ffa8b (diff)
downloadgo-46069bed06551337bc8c9b293040d30e41917289.tar.gz
go-46069bed06551337bc8c9b293040d30e41917289.zip
net/http: reject non three digit status codes in ReadResponse
Change-Id: If4a90c4017ef4b5c9f497cf117c8ad62b7e15c62 Reviewed-on: https://go-review.googlesource.com/18501 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat
-rw-r--r--src/net/http/response.go8
-rw-r--r--src/net/http/response_test.go11
2 files changed, 15 insertions, 4 deletions
diff --git a/src/net/http/response.go b/src/net/http/response.go
index 57ae364f57..c424f61cd0 100644
--- a/src/net/http/response.go
+++ b/src/net/http/response.go
@@ -150,12 +150,14 @@ func ReadResponse(r *bufio.Reader, req *Request) (*Response, error) {
if len(f) > 2 {
reasonPhrase = f[2]
}
- resp.Status = f[1] + " " + reasonPhrase
+ if len(f[1]) != 3 {
+ return nil, &badStringError{"malformed HTTP status code", f[1]}
+ }
resp.StatusCode, err = strconv.Atoi(f[1])
- if err != nil {
+ if err != nil || resp.StatusCode < 0 {
return nil, &badStringError{"malformed HTTP status code", f[1]}
}
-
+ resp.Status = f[1] + " " + reasonPhrase
resp.Proto = f[0]
var ok bool
if resp.ProtoMajor, resp.ProtoMinor, ok = ParseHTTPVersion(resp.Proto); !ok {
diff --git a/src/net/http/response_test.go b/src/net/http/response_test.go
index abd9059522..b4bf09aa9b 100644
--- a/src/net/http/response_test.go
+++ b/src/net/http/response_test.go
@@ -798,7 +798,16 @@ func TestReadResponseErrors(t *testing.T) {
status("c8 OK", true),
status("0x12d Moved Permanently", true),
status("200 OK", nil),
- status("20 OK", nil), // TODO: wrong. we should reject non-three digit
+ status("000 OK", nil),
+ status("001 OK", nil),
+ status("404 NOTFOUND", nil),
+ status("20 OK", true),
+ status("00 OK", true),
+ status("-10 OK", true),
+ status("1000 OK", true),
+ status("999 Done", nil),
+ status("-1 OK", true),
+ status("-200 OK", true),
version("HTTP/1.2", nil),
version("HTTP/2.0", nil),
version("HTTP/1.100000000002", true),
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion