1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
22 "golang_org/x/net/http/httpguts"
25 // ErrLineTooLong is returned when reading request or response bodies
26 // with malformed chunked encoding.
27 var ErrLineTooLong = internal.ErrLineTooLong
29 type errorReader struct {
33 func (r errorReader) Read(p []byte) (n int, err error) {
37 type byteReader struct {
42 func (br *byteReader) Read(p []byte) (n int, err error) {
54 // transferBodyReader is an io.Reader that reads from tw.Body
55 // and records any non-EOF error in tw.bodyReadError.
56 // It is exactly 1 pointer wide to avoid allocations into interfaces.
57 type transferBodyReader struct{ tw *transferWriter }
59 func (br transferBodyReader) Read(p []byte) (n int, err error) {
60 n, err = br.tw.Body.Read(p)
61 if err != nil && err != io.EOF {
62 br.tw.bodyReadError = err
67 // transferWriter inspects the fields of a user-supplied Request or Response,
68 // sanitizes them without changing the user object and provides methods for
69 // writing the respective header, body and trailer in wire format.
70 type transferWriter struct {
75 ContentLength int64 // -1 means unknown, 0 means exactly none
77 TransferEncoding []string
81 bodyReadError error // any non-EOF error from reading Body
83 FlushHeaders bool // flush headers to network before body
84 ByteReadCh chan readResult // non-nil if probeRequestBody called
87 func newTransferWriter(r interface{}) (t *transferWriter, err error) {
90 // Extract relevant fields
91 atLeastHTTP11 := false
92 switch rr := r.(type) {
94 if rr.ContentLength != 0 && rr.Body == nil {
95 return nil, fmt.Errorf("http: Request.ContentLength=%d with nil Body", rr.ContentLength)
97 t.Method = valueOrDefault(rr.Method, "GET")
99 t.TransferEncoding = rr.TransferEncoding
101 t.Trailer = rr.Trailer
103 t.BodyCloser = rr.Body
104 t.ContentLength = rr.outgoingLength()
105 if t.ContentLength < 0 && len(t.TransferEncoding) == 0 && t.shouldSendChunkedRequestBody() {
106 t.TransferEncoding = []string{"chunked"}
108 atLeastHTTP11 = true // Transport requests are always 1.1 or 2.0
111 if rr.Request != nil {
112 t.Method = rr.Request.Method
115 t.BodyCloser = rr.Body
116 t.ContentLength = rr.ContentLength
118 t.TransferEncoding = rr.TransferEncoding
120 t.Trailer = rr.Trailer
121 atLeastHTTP11 = rr.ProtoAtLeast(1, 1)
122 t.ResponseToHEAD = noResponseBodyExpected(t.Method)
125 // Sanitize Body,ContentLength,TransferEncoding
126 if t.ResponseToHEAD {
128 if chunked(t.TransferEncoding) {
132 if !atLeastHTTP11 || t.Body == nil {
133 t.TransferEncoding = nil
135 if chunked(t.TransferEncoding) {
137 } else if t.Body == nil { // no chunking, no body
143 if !chunked(t.TransferEncoding) {
150 // shouldSendChunkedRequestBody reports whether we should try to send a
151 // chunked request body to the server. In particular, the case we really
152 // want to prevent is sending a GET or other typically-bodyless request to a
153 // server with a chunked body when the body has zero bytes, since GETs with
154 // bodies (while acceptable according to specs), even zero-byte chunked
155 // bodies, are approximately never seen in the wild and confuse most
156 // servers. See Issue 18257, as one example.
158 // The only reason we'd send such a request is if the user set the Body to a
159 // non-nil value (say, ioutil.NopCloser(bytes.NewReader(nil))) and didn't
160 // set ContentLength, or NewRequest set it to -1 (unknown), so then we assume
161 // there's bytes to send.
163 // This code tries to read a byte from the Request.Body in such cases to see
164 // whether the body actually has content (super rare) or is actually just
165 // a non-nil content-less ReadCloser (the more common case). In that more
166 // common case, we act as if their Body were nil instead, and don't send
168 func (t *transferWriter) shouldSendChunkedRequestBody() bool {
169 // Note that t.ContentLength is the corrected content length
170 // from rr.outgoingLength, so 0 actually means zero, not unknown.
171 if t.ContentLength >= 0 || t.Body == nil { // redundant checks; caller did them
174 if requestMethodUsuallyLacksBody(t.Method) {
175 // Only probe the Request.Body for GET/HEAD/DELETE/etc
176 // requests, because it's only those types of requests
177 // that confuse servers.
178 t.probeRequestBody() // adjusts t.Body, t.ContentLength
181 // For all other request types (PUT, POST, PATCH, or anything
182 // made-up we've never heard of), assume it's normal and the server
183 // can deal with a chunked request body. Maybe we'll adjust this
188 // probeRequestBody reads a byte from t.Body to see whether it's empty
189 // (returns io.EOF right away).
191 // But because we've had problems with this blocking users in the past
192 // (issue 17480) when the body is a pipe (perhaps waiting on the response
193 // headers before the pipe is fed data), we need to be careful and bound how
194 // long we wait for it. This delay will only affect users if all the following
196 // * the request body blocks
197 // * the content length is not set (or set to -1)
198 // * the method doesn't usually have a body (GET, HEAD, DELETE, ...)
199 // * there is no transfer-encoding=chunked already set.
200 // In other words, this delay will not normally affect anybody, and there
201 // are workarounds if it does.
202 func (t *transferWriter) probeRequestBody() {
203 t.ByteReadCh = make(chan readResult, 1)
204 go func(body io.Reader) {
207 rres.n, rres.err = body.Read(buf[:])
213 timer := time.NewTimer(200 * time.Millisecond)
215 case rres := <-t.ByteReadCh:
217 if rres.n == 0 && rres.err == io.EOF {
221 } else if rres.n == 1 {
223 t.Body = io.MultiReader(&byteReader{b: rres.b}, errorReader{rres.err})
225 t.Body = io.MultiReader(&byteReader{b: rres.b}, t.Body)
227 } else if rres.err != nil {
228 t.Body = errorReader{rres.err}
231 // Too slow. Don't wait. Read it later, and keep
232 // assuming that this is ContentLength == -1
233 // (unknown), which means we'll send a
234 // "Transfer-Encoding: chunked" header.
235 t.Body = io.MultiReader(finishAsyncByteRead{t}, t.Body)
236 // Request that Request.Write flush the headers to the
237 // network before writing the body, since our body may not
238 // become readable until it's seen the response headers.
239 t.FlushHeaders = true
243 func noResponseBodyExpected(requestMethod string) bool {
244 return requestMethod == "HEAD"
247 func (t *transferWriter) shouldSendContentLength() bool {
248 if chunked(t.TransferEncoding) {
251 if t.ContentLength > 0 {
254 if t.ContentLength < 0 {
257 // Many servers expect a Content-Length for these methods
258 if t.Method == "POST" || t.Method == "PUT" {
261 if t.ContentLength == 0 && isIdentity(t.TransferEncoding) {
262 if t.Method == "GET" || t.Method == "HEAD" {
271 func (t *transferWriter) WriteHeader(w io.Writer) error {
272 if t.Close && !hasToken(t.Header.get("Connection"), "close") {
273 if _, err := io.WriteString(w, "Connection: close\r\n"); err != nil {
278 // Write Content-Length and/or Transfer-Encoding whose values are a
279 // function of the sanitized field triple (Body, ContentLength,
281 if t.shouldSendContentLength() {
282 if _, err := io.WriteString(w, "Content-Length: "); err != nil {
285 if _, err := io.WriteString(w, strconv.FormatInt(t.ContentLength, 10)+"\r\n"); err != nil {
288 } else if chunked(t.TransferEncoding) {
289 if _, err := io.WriteString(w, "Transfer-Encoding: chunked\r\n"); err != nil {
294 // Write Trailer header
295 if t.Trailer != nil {
296 keys := make([]string, 0, len(t.Trailer))
297 for k := range t.Trailer {
298 k = CanonicalHeaderKey(k)
300 case "Transfer-Encoding", "Trailer", "Content-Length":
301 return &badStringError{"invalid Trailer key", k}
303 keys = append(keys, k)
307 // TODO: could do better allocation-wise here, but trailers are rare,
308 // so being lazy for now.
309 if _, err := io.WriteString(w, "Trailer: "+strings.Join(keys, ",")+"\r\n"); err != nil {
318 func (t *transferWriter) WriteBody(w io.Writer) error {
324 var body = transferBodyReader{t}
325 if chunked(t.TransferEncoding) {
326 if bw, ok := w.(*bufio.Writer); ok && !t.IsResponse {
327 w = &internal.FlushAfterChunkWriter{Writer: bw}
329 cw := internal.NewChunkedWriter(w)
330 _, err = io.Copy(cw, body)
334 } else if t.ContentLength == -1 {
335 ncopy, err = io.Copy(w, body)
337 ncopy, err = io.Copy(w, io.LimitReader(body, t.ContentLength))
342 nextra, err = io.Copy(ioutil.Discard, body)
349 if t.BodyCloser != nil {
350 if err := t.BodyCloser.Close(); err != nil {
355 if !t.ResponseToHEAD && t.ContentLength != -1 && t.ContentLength != ncopy {
356 return fmt.Errorf("http: ContentLength=%d with Body length %d",
357 t.ContentLength, ncopy)
360 if chunked(t.TransferEncoding) {
361 // Write Trailer header
362 if t.Trailer != nil {
363 if err := t.Trailer.Write(w); err != nil {
367 // Last chunk, empty trailer
368 _, err = io.WriteString(w, "\r\n")
373 type transferReader struct {
383 TransferEncoding []string
388 func (t *transferReader) protoAtLeast(m, n int) bool {
389 return t.ProtoMajor > m || (t.ProtoMajor == m && t.ProtoMinor >= n)
392 // bodyAllowedForStatus reports whether a given response status code
393 // permits a body. See RFC 7230, section 3.3.
394 func bodyAllowedForStatus(status int) bool {
396 case status >= 100 && status <= 199:
407 suppressedHeaders304 = []string{"Content-Type", "Content-Length", "Transfer-Encoding"}
408 suppressedHeadersNoBody = []string{"Content-Length", "Transfer-Encoding"}
411 func suppressedHeaders(status int) []string {
414 // RFC 7232 section 4.1
415 return suppressedHeaders304
416 case !bodyAllowedForStatus(status):
417 return suppressedHeadersNoBody
422 // msg is *Request or *Response.
423 func readTransfer(msg interface{}, r *bufio.Reader) (err error) {
424 t := &transferReader{RequestMethod: "GET"}
428 switch rr := msg.(type) {
431 t.StatusCode = rr.StatusCode
432 t.ProtoMajor = rr.ProtoMajor
433 t.ProtoMinor = rr.ProtoMinor
434 t.Close = shouldClose(t.ProtoMajor, t.ProtoMinor, t.Header, true)
436 if rr.Request != nil {
437 t.RequestMethod = rr.Request.Method
441 t.RequestMethod = rr.Method
442 t.ProtoMajor = rr.ProtoMajor
443 t.ProtoMinor = rr.ProtoMinor
444 // Transfer semantics for Requests are exactly like those for
445 // Responses with status code 200, responding to a GET method
449 panic("unexpected type")
452 // Default to HTTP/1.1
453 if t.ProtoMajor == 0 && t.ProtoMinor == 0 {
454 t.ProtoMajor, t.ProtoMinor = 1, 1
457 // Transfer encoding, content length
458 err = t.fixTransferEncoding()
463 realLength, err := fixLength(isResponse, t.StatusCode, t.RequestMethod, t.Header, t.TransferEncoding)
467 if isResponse && t.RequestMethod == "HEAD" {
468 if n, err := parseContentLength(t.Header.get("Content-Length")); err != nil {
474 t.ContentLength = realLength
478 t.Trailer, err = fixTrailer(t.Header, t.TransferEncoding)
483 // If there is no Content-Length or chunked Transfer-Encoding on a *Response
484 // and the status is not 1xx, 204 or 304, then the body is unbounded.
485 // See RFC 7230, section 3.3.
488 if realLength == -1 &&
489 !chunked(t.TransferEncoding) &&
490 bodyAllowedForStatus(t.StatusCode) {
496 // Prepare body reader. ContentLength < 0 means chunked encoding
497 // or close connection when finished, since multipart is not supported yet
499 case chunked(t.TransferEncoding):
500 if noResponseBodyExpected(t.RequestMethod) || !bodyAllowedForStatus(t.StatusCode) {
503 t.Body = &body{src: internal.NewChunkedReader(r), hdr: msg, r: r, closing: t.Close}
505 case realLength == 0:
508 t.Body = &body{src: io.LimitReader(r, realLength), closing: t.Close}
510 // realLength < 0, i.e. "Content-Length" not mentioned in header
512 // Close semantics (i.e. HTTP/1.0)
513 t.Body = &body{src: r, closing: t.Close}
515 // Persistent connection (i.e. HTTP/1.1)
521 switch rr := msg.(type) {
524 rr.ContentLength = t.ContentLength
525 rr.TransferEncoding = t.TransferEncoding
527 rr.Trailer = t.Trailer
530 rr.ContentLength = t.ContentLength
531 rr.TransferEncoding = t.TransferEncoding
533 rr.Trailer = t.Trailer
539 // Checks whether chunked is part of the encodings stack
540 func chunked(te []string) bool { return len(te) > 0 && te[0] == "chunked" }
542 // Checks whether the encoding is explicitly "identity".
543 func isIdentity(te []string) bool { return len(te) == 1 && te[0] == "identity" }
545 // fixTransferEncoding sanitizes t.TransferEncoding, if needed.
546 func (t *transferReader) fixTransferEncoding() error {
547 raw, present := t.Header["Transfer-Encoding"]
551 delete(t.Header, "Transfer-Encoding")
553 // Issue 12785; ignore Transfer-Encoding on HTTP/1.0 requests.
554 if !t.protoAtLeast(1, 1) {
558 encodings := strings.Split(raw[0], ",")
559 te := make([]string, 0, len(encodings))
560 // TODO: Even though we only support "identity" and "chunked"
561 // encodings, the loop below is designed with foresight. One
562 // invariant that must be maintained is that, if present,
563 // chunked encoding must always come first.
564 for _, encoding := range encodings {
565 encoding = strings.ToLower(strings.TrimSpace(encoding))
566 // "identity" encoding is not recorded
567 if encoding == "identity" {
570 if encoding != "chunked" {
571 return &badStringError{"unsupported transfer encoding", encoding}
573 te = te[0 : len(te)+1]
574 te[len(te)-1] = encoding
577 return &badStringError{"too many transfer encodings", strings.Join(te, ",")}
580 // RFC 7230 3.3.2 says "A sender MUST NOT send a
581 // Content-Length header field in any message that
582 // contains a Transfer-Encoding header field."
585 // "If a message is received with both a
586 // Transfer-Encoding and a Content-Length header
587 // field, the Transfer-Encoding overrides the
588 // Content-Length. Such a message might indicate an
589 // attempt to perform request smuggling (Section 9.5)
590 // or response splitting (Section 9.4) and ought to be
591 // handled as an error. A sender MUST remove the
592 // received Content-Length field prior to forwarding
593 // such a message downstream."
595 // Reportedly, these appear in the wild.
596 delete(t.Header, "Content-Length")
597 t.TransferEncoding = te
604 // Determine the expected body length, using RFC 7230 Section 3.3. This
605 // function is not a method, because ultimately it should be shared by
606 // ReadResponse and ReadRequest.
607 func fixLength(isResponse bool, status int, requestMethod string, header Header, te []string) (int64, error) {
608 isRequest := !isResponse
609 contentLens := header["Content-Length"]
611 // Hardening against HTTP request smuggling
612 if len(contentLens) > 1 {
613 // Per RFC 7230 Section 3.3.2, prevent multiple
614 // Content-Length headers if they differ in value.
615 // If there are dups of the value, remove the dups.
617 first := strings.TrimSpace(contentLens[0])
618 for _, ct := range contentLens[1:] {
619 if first != strings.TrimSpace(ct) {
620 return 0, fmt.Errorf("http: message cannot contain multiple Content-Length headers; got %q", contentLens)
624 // deduplicate Content-Length
625 header.Del("Content-Length")
626 header.Add("Content-Length", first)
628 contentLens = header["Content-Length"]
631 // Logic based on response type or status
632 if noResponseBodyExpected(requestMethod) {
633 // For HTTP requests, as part of hardening against request
634 // smuggling (RFC 7230), don't allow a Content-Length header for
635 // methods which don't permit bodies. As an exception, allow
636 // exactly one Content-Length header if its value is "0".
637 if isRequest && len(contentLens) > 0 && !(len(contentLens) == 1 && contentLens[0] == "0") {
638 return 0, fmt.Errorf("http: method cannot contain a Content-Length; got %q", contentLens)
650 // Logic based on Transfer-Encoding
655 // Logic based on Content-Length
657 if len(contentLens) == 1 {
658 cl = strings.TrimSpace(contentLens[0])
661 n, err := parseContentLength(cl)
667 header.Del("Content-Length")
670 // RFC 7230 neither explicitly permits nor forbids an
671 // entity-body on a GET request so we permit one if
672 // declared, but we default to 0 here (not -1 below)
673 // if there's no mention of a body.
674 // Likewise, all other request methods are assumed to have
675 // no body if neither Transfer-Encoding chunked nor a
676 // Content-Length are set.
680 // Body-EOF logic based on other methods (like closing, or chunked coding)
684 // Determine whether to hang up after sending a request and body, or
685 // receiving a response and body
686 // 'header' is the request headers
687 func shouldClose(major, minor int, header Header, removeCloseHeader bool) bool {
692 conv := header["Connection"]
693 hasClose := httpguts.HeaderValuesContainsToken(conv, "close")
694 if major == 1 && minor == 0 {
695 return hasClose || !httpguts.HeaderValuesContainsToken(conv, "keep-alive")
698 if hasClose && removeCloseHeader {
699 header.Del("Connection")
705 // Parse the trailer header
706 func fixTrailer(header Header, te []string) (Header, error) {
707 vv, ok := header["Trailer"]
711 header.Del("Trailer")
713 trailer := make(Header)
715 for _, v := range vv {
716 foreachHeaderElement(v, func(key string) {
717 key = CanonicalHeaderKey(key)
719 case "Transfer-Encoding", "Trailer", "Content-Length":
721 err = &badStringError{"bad trailer key", key}
731 if len(trailer) == 0 {
735 // Trailer and no chunking
736 return nil, ErrUnexpectedTrailer
741 // body turns a Reader into a ReadCloser.
742 // Close ensures that the body has been fully read
743 // and then reads the trailer if necessary.
746 hdr interface{} // non-nil (Response or Request) value means read trailer
747 r *bufio.Reader // underlying wire-format reader for the trailer
748 closing bool // is the connection to be closed after reading body?
749 doEarlyClose bool // whether Close should stop early
751 mu sync.Mutex // guards following, and calls to Read and Close
754 earlyClose bool // Close called and we didn't read to the end of src
755 onHitEOF func() // if non-nil, func to call when EOF is Read
758 // ErrBodyReadAfterClose is returned when reading a Request or Response
759 // Body after the body has been closed. This typically happens when the body is
760 // read after an HTTP Handler calls WriteHeader or Write on its
762 var ErrBodyReadAfterClose = errors.New("http: invalid Read on closed Body")
764 func (b *body) Read(p []byte) (n int, err error) {
768 return 0, ErrBodyReadAfterClose
770 return b.readLocked(p)
774 func (b *body) readLocked(p []byte) (n int, err error) {
778 n, err = b.src.Read(p)
782 // Chunked case. Read the trailer.
784 if e := b.readTrailer(); e != nil {
786 // Something went wrong in the trailer, we must not allow any
787 // further reads of any kind to succeed from body, nor any
788 // subsequent requests on the server connection. See
789 // golang.org/issue/12027
795 // If the server declared the Content-Length, our body is a LimitedReader
796 // and we need to check whether this EOF arrived early.
797 if lr, ok := b.src.(*io.LimitedReader); ok && lr.N > 0 {
798 err = io.ErrUnexpectedEOF
803 // If we can return an EOF here along with the read data, do
804 // so. This is optional per the io.Reader contract, but doing
805 // so helps the HTTP transport code recycle its connection
806 // earlier (since it will see this EOF itself), even if the
807 // client doesn't do future reads or Close.
808 if err == nil && n > 0 {
809 if lr, ok := b.src.(*io.LimitedReader); ok && lr.N == 0 {
815 if b.sawEOF && b.onHitEOF != nil {
823 singleCRLF = []byte("\r\n")
824 doubleCRLF = []byte("\r\n\r\n")
827 func seeUpcomingDoubleCRLF(r *bufio.Reader) bool {
828 for peekSize := 4; ; peekSize++ {
829 // This loop stops when Peek returns an error,
830 // which it does when r's buffer has been filled.
831 buf, err := r.Peek(peekSize)
832 if bytes.HasSuffix(buf, doubleCRLF) {
842 var errTrailerEOF = errors.New("http: unexpected EOF reading trailer")
844 func (b *body) readTrailer() error {
845 // The common case, since nobody uses trailers.
846 buf, err := b.r.Peek(2)
847 if bytes.Equal(buf, singleCRLF) {
858 // Make sure there's a header terminator coming up, to prevent
859 // a DoS with an unbounded size Trailer. It's not easy to
860 // slip in a LimitReader here, as textproto.NewReader requires
861 // a concrete *bufio.Reader. Also, we can't get all the way
862 // back up to our conn's LimitedReader that *might* be backing
863 // this bufio.Reader. Instead, a hack: we iteratively Peek up
864 // to the bufio.Reader's max size, looking for a double CRLF.
865 // This limits the trailer to the underlying buffer size, typically 4kB.
866 if !seeUpcomingDoubleCRLF(b.r) {
867 return errors.New("http: suspiciously long trailer after chunked body")
870 hdr, err := textproto.NewReader(b.r).ReadMIMEHeader()
877 switch rr := b.hdr.(type) {
879 mergeSetHeader(&rr.Trailer, Header(hdr))
881 mergeSetHeader(&rr.Trailer, Header(hdr))
886 func mergeSetHeader(dst *Header, src Header) {
891 for k, vv := range src {
896 // unreadDataSizeLocked returns the number of bytes of unread input.
897 // It returns -1 if unknown.
898 // b.mu must be held.
899 func (b *body) unreadDataSizeLocked() int64 {
900 if lr, ok := b.src.(*io.LimitedReader); ok {
906 func (b *body) Close() error {
915 // Already saw EOF, so no need going to look for it.
916 case b.hdr == nil && b.closing:
917 // no trailer and closing the connection next.
918 // no point in reading to EOF.
920 // Read up to maxPostHandlerReadBytes bytes of the body, looking for
921 // for EOF (and trailers), so we can re-use this connection.
922 if lr, ok := b.src.(*io.LimitedReader); ok && lr.N > maxPostHandlerReadBytes {
923 // There was a declared Content-Length, and we have more bytes remaining
924 // than our maxPostHandlerReadBytes tolerance. So, give up.
928 // Consume the body, or, which will also lead to us reading
929 // the trailer headers after the body, if present.
930 n, err = io.CopyN(ioutil.Discard, bodyLocked{b}, maxPostHandlerReadBytes)
934 if n == maxPostHandlerReadBytes {
939 // Fully consume the body, which will also lead to us reading
940 // the trailer headers after the body, if present.
941 _, err = io.Copy(ioutil.Discard, bodyLocked{b})
947 func (b *body) didEarlyClose() bool {
953 // bodyRemains reports whether future Read calls might
955 func (b *body) bodyRemains() bool {
961 func (b *body) registerOnHitEOF(fn func()) {
967 // bodyLocked is a io.Reader reading from a *body when its mutex is
969 type bodyLocked struct {
973 func (bl bodyLocked) Read(p []byte) (n int, err error) {
975 return 0, ErrBodyReadAfterClose
977 return bl.b.readLocked(p)
980 // parseContentLength trims whitespace from s and returns -1 if no value
981 // is set, or the value if it's >= 0.
982 func parseContentLength(cl string) (int64, error) {
983 cl = strings.TrimSpace(cl)
987 n, err := strconv.ParseInt(cl, 10, 64)
988 if err != nil || n < 0 {
989 return 0, &badStringError{"bad Content-Length", cl}
995 // finishAsyncByteRead finishes reading the 1-byte sniff
996 // from the ContentLength==0, Body!=nil case.
997 type finishAsyncByteRead struct {
1001 func (fr finishAsyncByteRead) Read(p []byte) (n int, err error) {
1005 rres := <-fr.tw.ByteReadCh
1006 n, err = rres.n, rres.err