Issue with HTTP Method Validation in http.NewRequest (v1.22.7)

[JesusMorenoV1]

Go version

go version go1.22.7 windows/amd64

Output of go env in your module/workspace:

set GO111MODULE=on
set GOARCH=amd64
set GOBIN=
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOVCS=
set GOVERSION=go1.22.7
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config

What did you do?

The http.NewRequest method, which internally calls NewRequestWithContext, includes validation for the HTTP method used. However, I have verified that it accepts any string and does not return any error.

this method is not working fine:

func validMethod(method string) bool {
	/*
	     Method         = "OPTIONS"                ; Section 9.2
	                    | "GET"                    ; Section 9.3
	                    | "HEAD"                   ; Section 9.4
	                    | "POST"                   ; Section 9.5
	                    | "PUT"                    ; Section 9.6
	                    | "DELETE"                 ; Section 9.7
	                    | "TRACE"                  ; Section 9.8
	                    | "CONNECT"                ; Section 9.9
	                    | extension-method
	   extension-method = token
	     token          = 1*<any CHAR except CTLs or separators>
	*/
	return len(method) > 0 && strings.IndexFunc(method, isNotToken) == -1
}

here you have a test to check it out:

func TestNewRequest(t *testing.T) {
	_, err := http.NewRequest("INVALID-METHOD.", "https://something.com", nil)
	if err != nil {
		t.Errorf("not nil. %v", err)
	} else {
		t.Log("nil")
	}
}

What did you see happen?

=== RUN TestNewRequest
go_issue_test.go:14: nil
--- PASS: TestNewRequest (0.00s)
PASS

Process finished with the exit code 0

What did you expect to see?

I expected to receive something like

"net/http: invalid method INVALID-METHOD."

[gabyhelp]

Related Issues and Documentation

• net/http: invalid http request methods accepted in NewRequest and NewRequestWithContext #44291 (closed)
• affected/package: http #59759 (closed)
• net/http: Server does not validate of HTTP method like Transport and NewRequest #18319 (closed)
• net/http: Request method does not default to GET with http2 #31061 (closed)
• net/http: NewRequest/NewRequestWithContext fails with (*bytes.Buffer)(nil) #68252 (closed)
• net/http/httptest: should validate given URL #69750 (closed)
• net/http: invalid method strings #12078 (closed)
• net/http: request.Method is wrong when path start by // #29584 (closed)
• net/http: Double slash in request leads Method to always be GET #69063 (closed)
• net/http: accept empty method in Transport again

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

Neither - nor . are restricted characters.

       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

Closing as working as intended.