net/http: allows empty header names

Question

net/http: allows empty header names

dvyukov opened this issue 9 years ago · comments

The following program:

package main

import (
    "bufio"
    "bytes"
    "fmt"
    "net/http"
)

func main() {
    data := []byte("GET / HTTP/0.0\n:v\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        return
    }
    fmt.Printf("%q\n", r.Header.Get(""))
}

prints:

"v"

As per RFC 7230 field-name is a token, tokens consist of one or more chars.

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

GopherBot · Answer 1 · Thu Jun 18 2015 21:00:25 GMT+0800 (China Standard Time)

CL https://golang.org/cl/11242 mentions this issue.