httputils.go

     1  // Copyright 2019 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Code copied from x/net/http/httpguts/httplex.go
     6  
     7  package auth
     8  
     9  var isTokenTable = [256]bool{
    10  	'!':  true,
    11  	'#':  true,
    12  	'$':  true,
    13  	'%':  true,
    14  	'&':  true,
    15  	'\'': true,
    16  	'*':  true,
    17  	'+':  true,
    18  	'-':  true,
    19  	'.':  true,
    20  	'0':  true,
    21  	'1':  true,
    22  	'2':  true,
    23  	'3':  true,
    24  	'4':  true,
    25  	'5':  true,
    26  	'6':  true,
    27  	'7':  true,
    28  	'8':  true,
    29  	'9':  true,
    30  	'A':  true,
    31  	'B':  true,
    32  	'C':  true,
    33  	'D':  true,
    34  	'E':  true,
    35  	'F':  true,
    36  	'G':  true,
    37  	'H':  true,
    38  	'I':  true,
    39  	'J':  true,
    40  	'K':  true,
    41  	'L':  true,
    42  	'M':  true,
    43  	'N':  true,
    44  	'O':  true,
    45  	'P':  true,
    46  	'Q':  true,
    47  	'R':  true,
    48  	'S':  true,
    49  	'T':  true,
    50  	'U':  true,
    51  	'W':  true,
    52  	'V':  true,
    53  	'X':  true,
    54  	'Y':  true,
    55  	'Z':  true,
    56  	'^':  true,
    57  	'_':  true,
    58  	'`':  true,
    59  	'a':  true,
    60  	'b':  true,
    61  	'c':  true,
    62  	'd':  true,
    63  	'e':  true,
    64  	'f':  true,
    65  	'g':  true,
    66  	'h':  true,
    67  	'i':  true,
    68  	'j':  true,
    69  	'k':  true,
    70  	'l':  true,
    71  	'm':  true,
    72  	'n':  true,
    73  	'o':  true,
    74  	'p':  true,
    75  	'q':  true,
    76  	'r':  true,
    77  	's':  true,
    78  	't':  true,
    79  	'u':  true,
    80  	'v':  true,
    81  	'w':  true,
    82  	'x':  true,
    83  	'y':  true,
    84  	'z':  true,
    85  	'|':  true,
    86  	'~':  true,
    87  }
    88  
    89  // isLWS reports whether b is linear white space, according
    90  // to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
    91  //
    92  //	LWS            = [CRLF] 1*( SP | HT )
    93  func isLWS(b byte) bool { return b == ' ' || b == '\t' }
    94  
    95  // isCTL reports whether b is a control byte, according
    96  // to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
    97  //
    98  //	CTL            = <any US-ASCII control character
    99  //	                 (octets 0 - 31) and DEL (127)>
   100  func isCTL(b byte) bool {
   101  	const del = 0x7f // a CTL
   102  	return b < ' ' || b == del
   103  }
   104  
   105  // validHeaderFieldName reports whether v is a valid HTTP/1.x header name.
   106  // HTTP/2 imposes the additional restriction that uppercase ASCII
   107  // letters are not allowed.
   108  //
   109  // RFC 7230 says:
   110  //
   111  //	header-field   = field-name ":" OWS field-value OWS
   112  //	field-name     = token
   113  //	token          = 1*tchar
   114  //	tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
   115  //	        "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
   116  func validHeaderFieldName(v string) bool {
   117  	if len(v) == 0 {
   118  		return false
   119  	}
   120  	for i := 0; i < len(v); i++ {
   121  		if !isTokenTable[v[i]] {
   122  			return false
   123  		}
   124  	}
   125  	return true
   126  }
   127  
   128  // validHeaderFieldValue reports whether v is a valid "field-value" according to
   129  // http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 :
   130  //
   131  //	message-header = field-name ":" [ field-value ]
   132  //	field-value    = *( field-content | LWS )
   133  //	field-content  = <the OCTETs making up the field-value
   134  //	                 and consisting of either *TEXT or combinations
   135  //	                 of token, separators, and quoted-string>
   136  //
   137  // http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 :
   138  //
   139  //	TEXT           = <any OCTET except CTLs,
   140  //	                  but including LWS>
   141  //	LWS            = [CRLF] 1*( SP | HT )
   142  //	CTL            = <any US-ASCII control character
   143  //	                 (octets 0 - 31) and DEL (127)>
   144  //
   145  // RFC 7230 says:
   146  //
   147  //	field-value    = *( field-content / obs-fold )
   148  //	obj-fold       =  N/A to http2, and deprecated
   149  //	field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
   150  //	field-vchar    = VCHAR / obs-text
   151  //	obs-text       = %x80-FF
   152  //	VCHAR          = "any visible [USASCII] character"
   153  //
   154  // http2 further says: "Similarly, HTTP/2 allows header field values
   155  // that are not valid. While most of the values that can be encoded
   156  // will not alter header field parsing, carriage return (CR, ASCII
   157  // 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII
   158  // 0x0) might be exploited by an attacker if they are translated
   159  // verbatim. Any request or response that contains a character not
   160  // permitted in a header field value MUST be treated as malformed
   161  // (Section 8.1.2.6). Valid characters are defined by the
   162  // field-content ABNF rule in Section 3.2 of [RFC7230]."
   163  //
   164  // This function does not (yet?) properly handle the rejection of
   165  // strings that begin or end with SP or HTAB.
   166  func validHeaderFieldValue(v string) bool {
   167  	for i := 0; i < len(v); i++ {
   168  		b := v[i]
   169  		if isCTL(b) && !isLWS(b) {
   170  			return false
   171  		}
   172  	}
   173  	return true
   174  }
   175
View as plain text