Skip to content

net/http: Post redirect can submit entity body when redirecting with GET request #57273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ioquatix opened this issue Dec 13, 2022 · 1 comment
Open

net/http: Post redirect can submit entity body when redirecting with GET request #57273

ioquatix opened this issue Dec 13, 2022 · 1 comment
Assignees
@neild
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@ioquatix
Copy link

ioquatix commented Dec 13, 2022
edited
Loading

As discussed in #52519, it's possible for the http.Client to perform an invalid request when it receives a redirect status code which changes the request method from POST to GET, removing the entity body without updating the required headers.

See rack/rack#1994 for more context.

What version of Go are you using (go version)?

$ go version
go version go1.19.4 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/samuel/.cache/go-build"
GOENV="/home/samuel/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/samuel/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/samuel/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3391049208=/tmp/go-build -gno-record-gcc-switches"

What did you do?

The problem is explained in https://github.com/ioquatix/rack-go-http-client-redirect-bug with a reproduction.

What did you expect to see?

I expected it to follow the similar model as the fetch specification for handling redirects: https://fetch.spec.whatwg.org/#http-redirect-fetch.

Specifically, when receiving a redirect which causes the request method to change to GET, it needs to remove the entity body and the following headers:

  • content-encoding
  • content-language
  • content-location
  • content-type

What did you see instead?

A GET request which includes a content-type header without an entity body (invalid).
@ioquatix ioquatix mentioned this issue Dec 13, 2022
Closed
@ianlancetaylor ianlancetaylor changed the title net/http: http.Post redirect can submit entity body when redirecting with GET request. net/http: Post redirect can submit entity body when redirecting with GET request Dec 13, 2022
@ianlancetaylor
Copy link
Contributor

CC @neild @bradfitz

@thanm thanm added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 13, 2022
@neild neild self-assigned this Dec 13, 2022
@ioquatix ioquatix mentioned this issue Dec 16, 2022
Closed
@seankhliao seankhliao added this to the Unplanned milestone Jan 20, 2023
This was referenced Nov 2, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@ioquatix @neild @ianlancetaylor @seankhliao @thanm