Open blessingcharles opened 2 years ago
RFC 7230 section 3.5 explicitly allows for accepting a bare LF:
Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.
Perhaps we should be stricter, but the current behavior is within the parameters permitted by RFC 7230.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What did you do?
While fuzzing for analyzing the discrepancies in the parsing behavior of various servers , the termination chunk of 0\n\r\n was accepted and most servers like nodejs and actix replied witj 400 request . According to RFC the termination chunk must be 0CRLFCRLF ie 0\r\n\r\n but golang accept 0\n\r\n . RFC chunked termination
Every header , requestline and body delimiting end should be CRLF according to RFC ABNF grammar but golang accepts LF alone as a valid request .RFC 7230
POC
What did you expect to see?
What operating system and processor architecture are you using (
go env
)?Environment
Code used