net/http: reject faux HTTP/0.9 and HTTP/2+ requests

Fixes #16197 Change-Id: Icaabacbb22bc18c52b9e04b47385ac5325fcccd1 Reviewed-on: https://go-review.googlesource.com/24505 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>

net/http: reject faux HTTP/0.9 and HTTP/2+ requests
Fixes #16197 Change-Id: Icaabacbb22bc18c52b9e04b47385ac5325fcccd1 Reviewed-on: https://go-review.googlesource.com/24505 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
3e9d6e06 · Brad Fitzpatrick · e0f986bf · 3e9d6e06 · 3e9d6e06
Commit 3e9d6e06 authored Jun 27, 2016 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 0 deletions

serve_test.go src/net/http/serve_test.go +7 -0

server.go src/net/http/server.go +21 -0

No files found.
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -3958,6 +3958,8 @@ func TestServerValidatesHostHeader(t *testing.T) {
 		host  string
 		want  int
 	}{
+		{"HTTP/0.9", "", 400},
+
 		{"HTTP/1.1", "", 400},
 		{"HTTP/1.1", "Host: \r\n", 200},
 		{"HTTP/1.1", "Host: 1.2.3.4\r\n", 200},
@@ -3983,6 +3985,11 @@ func TestServerValidatesHostHeader(t *testing.T) {

 		// Make an exception for HTTP upgrade requests:
 		{"PRI * HTTP/2.0", "", 200},
+
+		// But not other HTTP/2 stuff:
+		{"PRI / HTTP/2.0", "", 400},
+		{"GET / HTTP/2.0", "", 400},
+		{"GET / HTTP/3.0", "", 400},
 	}
 	for _, tt := range tests {
 		conn := &testConn{closec: make(chan bool, 1)}

--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -771,6 +771,10 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
 		return nil, err
 	}

+	if !http1ServerSupportsRequest(req) {
+		return nil, badRequestError("unsupported protocol version")
+	}
+
 	ctx, cancelCtx := context.WithCancel(ctx)
 	req.ctx = ctx

@@ -828,6 +832,23 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
 	return w, nil
 }

+// http1ServerSupportsRequest reports whether Go's HTTP/1.x server
+// supports the given request.
+func http1ServerSupportsRequest(req *Request) bool {
+	if req.ProtoMajor == 1 {
+		return true
+	}
+	// Accept "PRI * HTTP/2.0" upgrade requests, so Handlers can
+	// wire up their own HTTP/2 upgrades.
+	if req.ProtoMajor == 2 && req.ProtoMinor == 0 &&
+		req.Method == "PRI" && req.RequestURI == "*" {
+		return true
+	}
+	// Reject HTTP/0.x, and all other HTTP/2+ requests (which
+	// aren't encoded in ASCII anyway).
+	return false
+}
+
 func (w *response) Header() Header {
 	if w.cw.header == nil && w.wroteHeader && !w.cw.wroteHeader {
 		// Accessing the header between logically writing it