|
|
@@ -2490,7 +2490,26 @@ func (w *responseWriter) Header() http.Header {
|
|
|
return rws.handlerHeader
|
|
|
}
|
|
|
|
|
|
+// checkWriteHeaderCode is a copy of net/http's checkWriteHeaderCode.
|
|
|
+func checkWriteHeaderCode(code int) {
|
|
|
+ // Issue 22880: require valid WriteHeader status codes.
|
|
|
+ // For now we only enforce that it's three digits.
|
|
|
+ // In the future we might block things over 599 (600 and above aren't defined
|
|
|
+ // at http://httpwg.org/specs/rfc7231.html#status.codes)
|
|
|
+ // and we might block under 200 (once we have more mature 1xx support).
|
|
|
+ // But for now any three digits.
|
|
|
+ //
|
|
|
+ // We used to send "HTTP/1.1 000 0" on the wire in responses but there's
|
|
|
+ // no equivalent bogus thing we can realistically send in HTTP/2,
|
|
|
+ // so we'll consistently panic instead and help people find their bugs
|
|
|
+ // early. (We can't return an error from WriteHeader even if we wanted to.)
|
|
|
+ if code < 100 || code > 999 {
|
|
|
+ panic(fmt.Sprintf("invalid WriteHeader code %v", code))
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
func (w *responseWriter) WriteHeader(code int) {
|
|
|
+ checkWriteHeaderCode(code)
|
|
|
rws := w.rws
|
|
|
if rws == nil {
|
|
|
panic("WriteHeader called after Handler finished")
|
Brad Fitzpatrick