Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

net/http/httptest: check whether response bodies are allowed

Browse source 
Fixes #75471

Change-Id: Ie8fc5fae4b2a9285501198d8379bbffe51ee63f7
Reviewed-on: https://go-review.googlesource.com/c/go/+/709335
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Sean Liao 2025-10-05 23:09:03 +01:00
parent ee163197a8
commit 4837fbe414
2 changed files with 38 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/net/http/httptest/recorder.go
View file

@ -105,6 +105,10 @@ func (rw *ResponseRecorder) writeHeader(b []byte, str string) {
// Write implements http.ResponseWriter. The data in buf is written to // Write implements http.ResponseWriter. The data in buf is written to
// rw.Body, if not nil. // rw.Body, if not nil.
func (rw *ResponseRecorder) Write(buf []byte) (int, error) { func (rw *ResponseRecorder) Write(buf []byte) (int, error) {
code := rw.Code
if !bodyAllowedForStatus(code) {
return 0, http.ErrBodyNotAllowed
}
rw.writeHeader(buf, "") rw.writeHeader(buf, "")
if rw.Body != nil { if rw.Body != nil {
rw.Body.Write(buf) rw.Body.Write(buf)
@ -115,6 +119,10 @@ func (rw *ResponseRecorder) Write(buf []byte) (int, error) {
// WriteString implements [io.StringWriter]. The data in str is written // WriteString implements [io.StringWriter]. The data in str is written
// to rw.Body, if not nil. // to rw.Body, if not nil.
func (rw *ResponseRecorder) WriteString(str string) (int, error) { func (rw *ResponseRecorder) WriteString(str string) (int, error) {
code := rw.Code
if !bodyAllowedForStatus(code) {
return 0, http.ErrBodyNotAllowed
}
rw.writeHeader(nil, str) rw.writeHeader(nil, str)
if rw.Body != nil { if rw.Body != nil {
rw.Body.WriteString(str) rw.Body.WriteString(str)
@ -122,6 +130,20 @@ func (rw *ResponseRecorder) WriteString(str string) (int, error) {
return len(str), nil return len(str), nil
} }
// bodyAllowedForStatus reports whether a given response status code
// permits a body. See RFC 7230, section 3.3.
func bodyAllowedForStatus(status int) bool {
switch {
case status >= 100 && status <= 199:
return false
case status == 204:
return false
case status == 304:
return false
}
return true
}
func checkWriteHeaderCode(code int) { func checkWriteHeaderCode(code int) {
// Issue 22880: require valid WriteHeader status codes. // Issue 22880: require valid WriteHeader status codes.
// For now we only enforce that it's three digits. // For now we only enforce that it's three digits.

16
src/net/http/httptest/recorder_test.go
View file

@ -5,6 +5,7 @@
package httptest package httptest
import ( import (
"errors"
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
@ -309,6 +310,21 @@ func TestRecorder(t *testing.T) {
} }
} }
func TestBodyNotAllowed(t *testing.T) {
rw := NewRecorder()
rw.WriteHeader(204)
_, err := rw.Write([]byte("hello world"))
if !errors.Is(err, http.ErrBodyNotAllowed) {
t.Errorf("expected BodyNotAllowed for Write after 204, got: %v", err)
}
_, err = rw.WriteString("hello world")
if !errors.Is(err, http.ErrBodyNotAllowed) {
t.Errorf("expected BodyNotAllowed for WriteString after 204, got: %v", err)
}
}
// issue 39017 - disallow Content-Length values such as "+3" // issue 39017 - disallow Content-Length values such as "+3"
func TestParseContentLength(t *testing.T) { func TestParseContentLength(t *testing.T) {
tests := []struct { tests := []struct {