net/http: fix too-strict validation of server header values

As Andy Balholm noted in #11207: "RFC2616 §4.2 says that a header's field-content can consist of *TEXT, and RFC2616 §2.2 says that TEXT is <any OCTET except CTLs, but including LWS>, so that would mean that bytes greater than 128 are allowed." This is a partial rollback of the strictness from https://golang.org/cl/11207 (added in the Go 1.6 dev cycle, only released in Go 1.6beta1) Fixes #11207 Change-Id: I3a752a7941de100e4803ff16a5d626d5cfec4f03 Reviewed-on: https://go-review.googlesource.com/18374Reviewed-by: Russ Cox <rsc@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>

net/http: fix too-strict validation of server header values
As Andy Balholm noted in #11207: "RFC2616 §4.2 says that a header's field-content can consist of *TEXT, and RFC2616 §2.2 says that TEXT is <any OCTET except CTLs, but including LWS>, so that would mean that bytes greater than 128 are allowed." This is a partial rollback of the strictness from https://golang.org/cl/11207 (added in the Go 1.6 dev cycle, only released in Go 1.6beta1) Fixes #11207 Change-Id: I3a752a7941de100e4803ff16a5d626d5cfec4f03 Reviewed-on: https://go-review.googlesource.com/18374Reviewed-by: Russ Cox <rsc@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
0421e78f · Brad Fitzpatrick · ee566d53 · 0421e78f · 0421e78f
Commit 0421e78f authored Jan 08, 2016 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 8 deletions

request.go src/net/http/request.go +2 -6

serve_test.go src/net/http/serve_test.go +2 -2

No files found.
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -1139,13 +1139,9 @@ func validHeaderName(v string) bool {
 func validHeaderValue(v string) bool {
 	for i := 0; i < len(v); i++ {
 		b := v[i]
-		if b == '\t' {
-			continue
-		}
-		if ' ' <= b && b <= '~' {
-			continue
+		if b < ' ' && b != '\t' {
+			return false
 		}
-		return false
 	}
 	return true
 }
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -3798,8 +3798,8 @@ func TestServerValidatesHeaders(t *testing.T) {
 		{"foo\xffbar: foo\r\n", 400}, // binary in header
 		{"foo\x00bar: foo\r\n", 400}, // binary in header

-		{"foo: foo\x00foo\r\n", 400}, // binary in value
-		{"foo: foo\xfffoo\r\n", 400}, // binary in value
+		{"foo: foo\x00foo\r\n", 400}, // CTL in value is bad
+		{"foo: foo\xfffoo\r\n", 200}, // non-ASCII high octets in value are fine
 	}
 	for _, tt := range tests {
 		conn := &testConn{closec: make(chan bool)}