Closed
Description
Go version
go version devel go1.22-2e6387cbec Fri Dec 1 18:47:51 2023 +0000 linux/amd64
What operating system and processor architecture are you using (go env)?
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/app/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/app/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='devel go1.22-2e6387cbec Fri Dec 1 18:47:51 2023 +0000'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='0'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1615445855=/tmp/go-build -gno-record-gcc-switches'What did you do?
- Compile and run the following program:
package main
import (
"fmt"
"net/http"
)
func handle_request(w http.ResponseWriter, req *http.Request) {
fmt.Fprintf(w, "request received.\n")
}
func main() {
s := &http.Server{
Addr: "127.0.0.1:8080",
Handler: http.HandlerFunc(handle_request),
MaxHeaderBytes: 1 << 20,
}
s.ListenAndServe()
}- Send the following payload to the server (for instance, with
nc):
GET / HTTP/1.1\r\n
Host: whatever\r\n
Transfer-Encoding: chunked\r\n
\r\n
\r\n
\r\n
What did you expect to see?
The server should either respond 400 or time out, because the chunked message body is invalid. A chunked message body must be terminated with 0\r\n\r\n. Terminating chunked message bodies on \r\n\r\n alone introduces risk from any gateway that may have interpreted the request framing differently.
What did you see instead?
The server responds 200.