Skip to content

Issue with HTTP Method Validation in http.NewRequest (v1.22.7) #70225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JesusMorenoV1 opened this issue Nov 6, 2024 · 2 comments
Closed

Issue with HTTP Method Validation in http.NewRequest (v1.22.7) #70225

JesusMorenoV1 opened this issue Nov 6, 2024 · 2 comments

Comments

@JesusMorenoV1
Copy link

Go version

go version go1.22.7 windows/amd64

Output of go env in your module/workspace:

set GO111MODULE=on
set GOARCH=amd64
set GOBIN=
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOVCS=
set GOVERSION=go1.22.7
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config

What did you do?

The http.NewRequest method, which internally calls NewRequestWithContext, includes validation for the HTTP method used. However, I have verified that it accepts any string and does not return any error.

this method is not working fine:

func validMethod(method string) bool {
	/*
	     Method         = "OPTIONS"                ; Section 9.2
	                    | "GET"                    ; Section 9.3
	                    | "HEAD"                   ; Section 9.4
	                    | "POST"                   ; Section 9.5
	                    | "PUT"                    ; Section 9.6
	                    | "DELETE"                 ; Section 9.7
	                    | "TRACE"                  ; Section 9.8
	                    | "CONNECT"                ; Section 9.9
	                    | extension-method
	   extension-method = token
	     token          = 1*<any CHAR except CTLs or separators>
	*/
	return len(method) > 0 && strings.IndexFunc(method, isNotToken) == -1
}

here you have a test to check it out:

func TestNewRequest(t *testing.T) {
	_, err := http.NewRequest("INVALID-METHOD.", "https://something.com", nil)
	if err != nil {
		t.Errorf("not nil. %v", err)
	} else {
		t.Log("nil")
	}
}

What did you see happen?

=== RUN TestNewRequest
go_issue_test.go:14: nil
--- PASS: TestNewRequest (0.00s)
PASS

Process finished with the exit code 0

What did you expect to see?

I expected to receive something like

"net/http: invalid method INVALID-METHOD."
@gabyhelp
Copy link

gabyhelp commented Nov 6, 2024

Related Issues and Documentation

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@seankhliao
Copy link
Member

Neither - nor . are restricted characters.

       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

Closing as working as intended.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seankhliao @JesusMorenoV1 @gabyhelp