net/http: send body or close connection on expect-100-continue requests

When sending a request with an "Expect: 100-continue" header, we must send the request body before sending any further requests on the connection. When receiving a non-1xx response to an "Expect: 100-continue" request, send the request body if the connection isn't being closed after processing the response. In other words, if either the request or response contains a "Connection: close" header, then skip sending the request body (because the connection will not be used for further requests), but otherwise send it. Correct a comment on the server-side Expect: 100-continue handling that implied sending the request body is optional. It isn't. For #67555 Change-Id: Ia2f12091bee697771087f32ac347509ec5922d54 Reviewed-on: https://go-review.googlesource.com/c/go/+/591255 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Jonathan Amsterdam <jba@google.com>
2025-12-08 06:10:04 +00:00 · 2024-06-06 12:50:46 -07:00 · 2024-06-06 12:50:46 -07:00 · cf501e05e1
commit cf501e05e1
parent 2f6ba0c294
3 changed files with 164 additions and 97 deletions
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@ -1399,16 +1399,21 @@ func (cw *chunkWriter) writeHeader(p []byte) {

 	// If the client wanted a 100-continue but we never sent it to
 	// them (or, more strictly: we never finished reading their
-	// request body), don't reuse this connection because it's now
-	// in an unknown state: we might be sending this response at
-	// the same time the client is now sending its request body
-	// after a timeout.  (Some HTTP clients send Expect:
-	// 100-continue but knowing that some servers don't support
-	// it, the clients set a timer and send the body later anyway)
-	// If we haven't seen EOF, we can't skip over the unread body
-	// because we don't know if the next bytes on the wire will be
-	// the body-following-the-timer or the subsequent request.
-	// See Issue 11549.
+	// request body), don't reuse this connection.
+	//
+	// This behavior was first added on the theory that we don't know
+	// if the next bytes on the wire are going to be the remainder of
+	// the request body or the subsequent request (see issue 11549),
+	// but that's not correct: If we keep using the connection,
+	// the client is required to send the request body whether we
+	// asked for it or not.
+	//
+	// We probably do want to skip reusing the connection in most cases,
+	// however. If the client is offering a large request body that we
+	// don't intend to use, then it's better to close the connection
+	// than to read the body. For now, assume that if we're sending
+	// headers, the handler is done reading the body and we should
+	// drop the connection if we haven't seen EOF.
 	if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF.Load() {
 		w.closeAfterReply = true
 	}