[go] net/http/httptest: check the HeaderCode when WriteHeader

ZiZhao Zhang (Gerrit)

unread,

Apr 10, 2021, 3:48:55 AM4/10/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

ZiZhao Zhang has uploaded this change for review.

net/http/httptest: check the HeaderCode when WriteHeader

fixes #45353

Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203
---
M src/net/http/httptest/recorder.go
1 file changed, 19 insertions(+), 0 deletions(-)

diff --git a/src/net/http/httptest/recorder.go b/src/net/http/httptest/recorder.go
index 2428482..1b712ef 100644
--- a/src/net/http/httptest/recorder.go
+++ b/src/net/http/httptest/recorder.go
@@ -122,11 +122,30 @@
 	return len(str), nil
 }
 
+func checkWriteHeaderCode(code int) {
+	// Issue 22880: require valid WriteHeader status codes.
+	// For now we only enforce that it's three digits.
+	// In the future we might block things over 599 (600 and above aren't defined
+	// at https://httpwg.org/specs/rfc7231.html#status.codes)
+	// and we might block under 200 (once we have more mature 1xx support).
+	// But for now any three digits.
+	//
+	// We used to send "HTTP/1.1 000 0" on the wire in responses but there's
+	// no equivalent bogus thing we can realistically send in HTTP/2,
+	// so we'll consistently panic instead and help people find their bugs
+	// early. (We can't return an error from WriteHeader even if we wanted to.)
+	if code < 100 || code > 999 {
+		panic(fmt.Sprintf("invalid WriteHeader code %v", code))
+	}
+}
+
 // WriteHeader implements http.ResponseWriter.
 func (rw *ResponseRecorder) WriteHeader(code int) {
 	if rw.wroteHeader {
 		return
 	}
+
+	checkWriteHeaderCode(code)
 	rw.Code = code
 	rw.wroteHeader = true
 	if rw.HeaderMap == nil {

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 10, 2021, 4:01:24 AM4/10/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

ZiZhao Zhang uploaded patch set #2 to this change.

View Change

net/http/httptest: check the HeaderCode when WriteHeader

Fixes #45353



Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203
---
M src/net/http/httptest/recorder.go
1 file changed, 19 insertions(+), 0 deletions(-)

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 11, 2021, 10:56:17 PM4/11/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, Go Bot, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

Patch set 2:Run-TryBot +1

View Change

2 comments:

Commit Message:
- Patch Set #2, Line 7: net/http/httptest: check the HeaderCode when WriteHeader
  net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader
  This change conforms Recorder with net/http servers, to panic
  when a handler writes a non-3 digit XXX status code.

Patchset:

Patch Set #2:

Thank you ZiZhao for this change, and great to catch you here!

I have added some suggestions to improve the commit message, but also,
we need a test to prevent any regressions in case that code is removed.

Please add this test:

// Ensure that httptest.Recorder panics when given a non-3 digit (XXX)
// status HTTP code. See https://golang.org/issues/45353
// Ensure that httptest.Recorder panics when given a non-3 digit (XXX)
// status HTTP code. See https://golang.org/issues/45353
func TestRecorderPanicsOnNonXXXStatusCode(t *testing.T) {
	badCodes := []int{
		-100, 0, 99, 1000, 20000,
	}

	for _, badCode := range badCodes {
		badCode := badCode
		t.Run(fmt.Sprintf("Code=%d", badCode), func(t *testing.T) {
			defer func() {
				if r := recover(); r == nil {
					t.Fatal("Expected a panic")
				}
			}()
			handler := func(rw http.ResponseWriter, _ *http.Request) {
				rw.WriteHeader(badCode)
			}

			req := httptest.NewRequest("GET", "https://example.org/", nil)
			rw := httptest.NewRecorder()
			handler(rw, req)
		})
	}
}

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 11, 2021, 11:17:44 PM4/11/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

ZiZhao Zhang uploaded patch set #3 to this change.

View Change

net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader



This change conforms Recorder with net/http servers, to panic
when a handler writes a non-3 digit XXX status code.

fixes #45353



Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203
---
M src/net/http/httptest/recorder.go

M src/net/http/httptest/recorder_test.go
2 files changed, 43 insertions(+), 0 deletions(-)

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 11, 2021, 11:24:36 PM4/11/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Ian Lance Taylor, Emmanuel Odeke.

View Change

2 comments:

Commit Message:

- Patch Set #2, Line 7: net/http/httptest: check the HeaderCode when WriteHeader

- net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader […]
  Done
Patchset:
- Patch Set #2:
  Thank you ZiZhao for this change, and great to catch you here! […]
  Thank you for your review.
  I wanted to add a test, but I forgot. thanks

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 11, 2021, 11:26:01 PM4/11/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

View Change

1 comment:

Commit Message:
- Patch Set #3, Line 12: f
  Please capitalize it, you had it capitalized before to "Fixes"

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 11, 2021, 11:31:58 PM4/11/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

ZiZhao Zhang uploaded patch set #4 to this change.

View Change

net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader


This change conforms Recorder with net/http servers, to panic
when a handler writes a non-3 digit XXX status code.

Fixes #45353



Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203
---
M src/net/http/httptest/recorder.go
M src/net/http/httptest/recorder_test.go
2 files changed, 43 insertions(+), 0 deletions(-)

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 11, 2021, 11:32:58 PM4/11/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Ian Lance Taylor, Emmanuel Odeke.

View Change

1 comment:

Commit Message:

- Patch Set #3, Line 12: f
  Please capitalize it, you had it capitalized before to "Fixes"

- Done

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 11, 2021, 11:33:35 PM4/11/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

Patch set 4:Run-TryBot +1Code-Review +2

View Change

1 comment:

Patchset:
- Patch Set #4:
  Cool, thank you ZiZhao and LGTM!

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 11, 2021, 11:39:41 PM4/11/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

View Change

1 comment:

Patchset:
- Patch Set #4:
  Patch Set 4:
  Build is still in progress...
  This change failed on linux-arm64-aws:
  See https://storage.googleapis.com/go-build-log/c5415166/linux-arm64-aws_e6de3524.log
  Other builds still in progress; subsequent failure notices suppressed until final report. Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test *exactly* your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.
  ZiZhao, please also run the tests locally too and adjust as needed :-) some imports

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 12, 2021, 12:17:48 AM4/12/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

ZiZhao Zhang uploaded patch set #5 to this change.

View Change

net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader

This change conforms Recorder with net/http servers, to panic
when a handler writes a non-3 digit XXX status code.

Fixes #45353

Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203
---
M src/net/http/httptest/recorder.go
M src/net/http/httptest/recorder_test.go
2 files changed, 43 insertions(+), 0 deletions(-)

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 12, 2021, 12:19:13 AM4/12/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

ZiZhao Zhang uploaded patch set #6 to this change.

View Change

net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader

This change conforms Recorder with net/http servers, to panic
when a handler writes a non-3 digit XXX status code.

Fixes #45353

Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203
---
M src/net/http/httptest/recorder.go
M src/net/http/httptest/recorder_test.go

2 files changed, 44 insertions(+), 0 deletions(-)

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 12, 2021, 12:24:56 AM4/12/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Ian Lance Taylor.

View Change

1 comment:

Patchset:

- Patch Set #4:
  Patch Set 4:
  Build is still in progress...
  This change failed on linux-arm64-aws:
  See https://storage.googleapis.com/go-build-log/c5415166/linux-arm64-aws_e6de3524.log
  Other builds still in progress; subsequent failure notices suppressed until final report. Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test *exactly* your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.
  ZiZhao, please also run the tests locally too and adjust as needed :-) some imports

- My fault. The test is fixed.

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 12, 2021, 12:28:04 AM4/12/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

Patch set 6:Run-TryBot +1Code-Review +2

View Change

1 comment:

Patchset:
- Patch Set #6:
  Thank you!

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

ZiZhao Zhang (Gerrit)

unread,

Apr 12, 2021, 12:44:32 AM4/12/21

to goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Ian Lance Taylor.

View Change

1 comment:

Patchset:

- Patch Set #6:
  Thank you!

- Thank you for your careful review

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Michael Knyszek (Gerrit)

unread,

Apr 14, 2021, 5:00:54 PM4/14/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Emmanuel Odeke, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

Patch set 6:Trust +1

View Change

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 14, 2021, 5:58:04 PM4/14/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, ZiZhao Zhang, Ian Lance Taylor.

View Change

1 comment:

Patchset:
- Patch Set #6:
  Thank you Michael for the Trust+1, thank you ZiZhao for the change!

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 14, 2021, 5:58:11 PM4/14/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Michael Knyszek, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

Emmanuel Odeke submitted this change.

View Change

Approvals:
  Emmanuel Odeke: Looks good to me, approved; Run TryBots
  Michael Knyszek: Trusted
  Go Bot: TryBots succeeded

net/http/httptest: panic on non-3 digit (XXX) status code in Recorder.WriteHeader

This change conforms Recorder with net/http servers, to panic
when a handler writes a non-3 digit XXX status code.

Fixes #45353

Change-Id: Id5ed4af652e8c150ae86bf50402b800d935e2203

Reviewed-on: https://go-review.googlesource.com/c/go/+/308950
Reviewed-by: Emmanuel Odeke <emma...@orijtech.com>
Run-TryBot: Emmanuel Odeke <emma...@orijtech.com>
TryBot-Result: Go Bot <go...@golang.org>
Trust: Michael Knyszek <mkny...@google.com>


---
M src/net/http/httptest/recorder.go
M src/net/http/httptest/recorder_test.go
2 files changed, 44 insertions(+), 0 deletions(-)

diff --git a/src/net/http/httptest/recorder_test.go b/src/net/http/httptest/recorder_test.go
index a865e87..8cb32dd 100644
--- a/src/net/http/httptest/recorder_test.go
+++ b/src/net/http/httptest/recorder_test.go
@@ -345,3 +345,28 @@
 		}
 	}
 }
+
+// Ensure that httptest.Recorder panics when given a non-3 digit (XXX)
+// status HTTP code. See https://golang.org/issues/45353
+func TestRecorderPanicsOnNonXXXStatusCode(t *testing.T) {
+	badCodes := []int{
+		-100, 0, 99, 1000, 20000,
+	}
+	for _, badCode := range badCodes {
+		badCode := badCode
+		t.Run(fmt.Sprintf("Code=%d", badCode), func(t *testing.T) {
+			defer func() {
+				if r := recover(); r == nil {
+					t.Fatal("Expected a panic")
+				}
+			}()
+
+			handler := func(rw http.ResponseWriter, _ *http.Request) {
+				rw.WriteHeader(badCode)
+			}
+			r, _ := http.NewRequest("GET", "http://example.org/", nil)
+			rw := NewRecorder()
+			handler(rw, r)
+		})
+	}
+}

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Emmanuel Odeke (Gerrit)

unread,

Apr 14, 2021, 9:52:39 PM4/14/21

to ZiZhao Zhang, goph...@pubsubhelper.golang.org, Go Bot, Ian Lance Taylor, Brad Fitzpatrick, Russ Cox, Roberto Clapis, golang-co...@googlegroups.com

View Change

1 comment:

Patchset:
- Patch Set #7:
  RELNOTE=yes

To view, visit change 308950. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward