diff options
| author | Brad Fitzpatrick <bradfitz@golang.org> | 2015-06-30 09:22:41 -0700 |
|---|---|---|
| committer | Brad Fitzpatrick <bradfitz@golang.org> | 2015-06-30 17:59:02 +0000 |
| commit | 117ddcb83d7f42d6aa72241240af99ded81118e9 (patch) | |
| tree | 8c6a553a5346c950178980923db34a32cc8c2592 /src/net/http/header.go | |
| parent | 8884fa747658a0d08675d22aa30636f7a0645cb3 (diff) | |
| download | go-117ddcb83d7f42d6aa72241240af99ded81118e9.tar.gz go-117ddcb83d7f42d6aa72241240af99ded81118e9.zip | |
net/textproto: don't treat spaces as hyphens in header keys
This was originally done in https://codereview.appspot.com/5690059
(Feb 2012) to deal with bad response headers coming back from webcams,
but it presents a potential security problem with HTTP request
smuggling for request headers containing "Content Length" instead of
"Content-Length".
Part of overall HTTP hardening for request smuggling. See RFC 7230.
Thanks to RĂ©gis Leroy for the report.
Change-Id: I92b17fb637c9171c5774ea1437979ae2c17ca88a
Reviewed-on: https://go-review.googlesource.com/11772
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Diffstat (limited to 'src/net/http/header.go')
| -rw-r--r-- | src/net/http/header.go | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/net/http/header.go b/src/net/http/header.go index 153b94370f..d847b13118 100644 --- a/src/net/http/header.go +++ b/src/net/http/header.go @@ -168,6 +168,8 @@ func (h Header) WriteSubset(w io.Writer, exclude map[string]bool) error { // letter and any letter following a hyphen to upper case; // the rest are converted to lowercase. For example, the // canonical key for "accept-encoding" is "Accept-Encoding". +// If s contains a space or invalid header field bytes, it is +// returned without modifications. func CanonicalHeaderKey(s string) string { return textproto.CanonicalMIMEHeaderKey(s) } // hasToken reports whether token appears with v, ASCII |