net/http: arbitrary string between port and path in url is silently accepted

[mpl]

1. Run a (Go) webserver (on e.g. localhost:8080)

2. Run this as client:

package main

import (
    "io"
    "log"
    "os"
    "net/http"
)

func main() {
     // works with "http://localhost:8080foobar/valid_path" too
    resp, err := http.Get("http://localhost:8080foobar/")
    if err != nil {
        log.Fatal(err)
    }
    defer resp.Body.Close()
    if _, err := io.Copy(os.Stdout, resp.Body); err != nil {
        log.Fatal(err)
    }
}

3. Notice how the "foobar" string between the port and the url path does not seem to be a problem.
   I was expecting to get an error with such an URL.

I did not dig any further to see where that leniency comes from, because maybe that's not an actual concern. Let me know and I can look into it.

go version: go1.6beta2 linux/amd64

[bradfitz]

Maybe a dup of or at least similar to #14322 (port "9pfs" looking like "9").

[cespare]

I didn't look at any relevant specs, but I note that curl behaves the same way.

[mikioh]

The description of Get function in net/http package says that "Get issues a GET to the specified URL." So the question here is what's URL? Is that a subset of URIs described in RFC 3986? If so, the port subcomponent of authority must be decimal digits.

port = *DIGIT

Otherwise I have no strong opinions. I'm fine it becomes part of service discovery feature based on DNS or other fancy techniques. In that case it would look like scheme names of URI:

port = *( ALPHA / DIGIT / "+" / "-" / "." )

[msiebuhr]

I've submitted a fix for #14322 over at https://go-review.googlesource.com/#/c/19720/, that seem fix this too, as @bradfitz suggests.

I didn't write in a test for this issue, mostly because I couldn't find any obvious place to add it in the net/http-tests (suggestions welcome). Running it manually after the above is patched gives the error

… Get http://localhost:8080foobar/: dial tcp: lookup tcp/8080foobar: nodename nor servname provided, or not known
exit status 1

For reference, go1.6 returns

… Get http://localhost:8080foobar/: dial tcp [::1]:8080: getsockopt: connection refused
exit status 1

[mpl]

You're getting that error even when you have a server listening on :8080 ? I don't.
(I know it's not the main point of that issue. Just saying.)

For reference, go1.6 returns
Get http://localhost:8080foobar/: dial tcp [::1]:8080: getsockopt: connection refused exit status 1

[msiebuhr]

Totally forgot about the server. Stock go 1.6 returns whatever is on /. Returns the above error when the patch is applied.

[gopherbot]

CL https://golang.org/cl/19720 mentions this issue.

[odeke-em]

@mikioh, @bradfitz or @quentinmit might y'all have thoughts on if it was merging CL https://go-review.googlesource.com/#/c/19720 was what fixed this issue?

I've tested this locally with https://github.com/odeke-em/bugs/tree/master/golang/14353 and we now reject it with

$ go run client.go 
2016/10/05 01:50:55 Get http://localhost:8080foobar/: dial tcp: lookup tcp/8080foobar: nodename nor servname provided, or not known
exit status 1

[bradfitz]

No, CL 19720 is too late. If we're doing a DNS lookup, we've already lost.

The original fix was https://go-review.googlesource.com/22351 (for #14860) but it was rolled back in https://go-review.googlesource.com/22861

We should move the validation to net/http if we can't move it to net/url.

[gopherbot]

CL https://golang.org/cl/32482 mentions this issue.