net/http/cgi: should accept "INCLUDED" as protocol for server side includes

Go version

go version go1.23.1 darwin/arm64

Output of `go env` in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/peterbeard/Library/Caches/go-build'
GOENV='/Users/peterbeard/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/peterbeard/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/peterbeard/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/peterbeard/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/peterbeard/Development/www/fcgi-test/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/db/tdhgwvfj52q95b07mgfhpr7h0000gp/T/go-build3740171001=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

I created a local Apache server using the official php:7.2-apache docker image. I installed mod_fcgid and included the cgi, includes, and fcgid mod packages. I made the necessary changes to the httpd.conf file and ran the server with a compiled go cgi program in the /cgi-bin folder. It works when hitting the file directly from the /cgi-bin folder, but does not work when being used included with Apache SSI both through  and .

After much digging I found that the issue can very simply be replicated on go.dev/play. See reproduced bug

What did you see happen?

When running both CGI and FCGI compiled programs the following error is logged when being included as server side includes: cgi: invalid SERVER_PROTOCOL version

What did you expect to see?

FCGI implements CGI so fixing this piece in net/http/cgi will solve the issue for both CGI and FCGI.

Section 4.1.16 of the CGI Spec, RFC 3875, states the following:

A well-known value for SERVER_PROTOCOL which the server MAY use is "INCLUDED", which signals that the current document is being included as part of a composite document, rather than being the direct target of the client request. The script should treat this as an HTTP/1.0 request.

The following piece of the cgi package does not properly implement this spec.

https://github.com/golang/go/blob/3ca78afb3bf4f28af1ca76875c0a15d6b87a5c50/src/net/http/cgi/child.go#L58-L63

Since this relies entirely on the http.ParseHttpVersion function to validate the server protocol, the INCLUDED value for SERVER_PROTOCOL is not handled.

The fix could be implemented directly in the CGI child.go script since this only applies to CGI/FCGI only and will not cause problems by modifying http.ParseHttpVersion.

Example of one possible fix, in place of the above referenced code block:

        r.Proto = params["SERVER_PROTOCOL"]
    var ok bool
    if r.Proto == "INCLUDED" {
                // Handles SSI (Server Side Include) use case per the CGI RFC 3875 spec as specified in section 4.1.16
        r.ProtoMajor, r.ProtoMinor, ok = http.ParseHTTPVersion("HTTP/1.0")
    } else {
        r.ProtoMajor, r.ProtoMinor, ok = http.ParseHTTPVersion(r.Proto)
    }
    if !ok {
        return nil, errors.New("cgi: invalid SERVER_PROTOCOL version")
    }

golang / go