Source file src/net/http/request.go
1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // HTTP Request reading and parsing. 6 7 package http 8 9 import ( 10 "bufio" 11 "bytes" 12 "context" 13 "crypto/tls" 14 "encoding/base64" 15 "errors" 16 "fmt" 17 "io" 18 "mime" 19 "mime/multipart" 20 "net/http/httptrace" 21 "net/http/internal/ascii" 22 "net/textproto" 23 "net/url" 24 urlpkg "net/url" 25 "strconv" 26 "strings" 27 "sync" 28 29 "golang.org/x/net/http/httpguts" 30 "golang.org/x/net/idna" 31 ) 32 33 const ( 34 defaultMaxMemory = 32 << 20 // 32 MB 35 ) 36 37 // ErrMissingFile is returned by FormFile when the provided file field name 38 // is either not present in the request or not a file field. 39 var ErrMissingFile = errors.New("http: no such file") 40 41 // ProtocolError represents an HTTP protocol error. 42 // 43 // Deprecated: Not all errors in the http package related to protocol errors 44 // are of type ProtocolError. 45 type ProtocolError struct { 46 ErrorString string 47 } 48 49 func (pe *ProtocolError) Error() string { return pe.ErrorString } 50 51 // Is lets http.ErrNotSupported match errors.ErrUnsupported. 52 func (pe *ProtocolError) Is(err error) bool { 53 return pe == ErrNotSupported && err == errors.ErrUnsupported 54 } 55 56 var ( 57 // ErrNotSupported indicates that a feature is not supported. 58 // 59 // It is returned by ResponseController methods to indicate that 60 // the handler does not support the method, and by the Push method 61 // of Pusher implementations to indicate that HTTP/2 Push support 62 // is not available. 63 ErrNotSupported = &ProtocolError{"feature not supported"} 64 65 // Deprecated: ErrUnexpectedTrailer is no longer returned by 66 // anything in the net/http package. Callers should not 67 // compare errors against this variable. 68 ErrUnexpectedTrailer = &ProtocolError{"trailer header without chunked transfer encoding"} 69 70 // ErrMissingBoundary is returned by Request.MultipartReader when the 71 // request's Content-Type does not include a "boundary" parameter. 72 ErrMissingBoundary = &ProtocolError{"no multipart boundary param in Content-Type"} 73 74 // ErrNotMultipart is returned by Request.MultipartReader when the 75 // request's Content-Type is not multipart/form-data. 76 ErrNotMultipart = &ProtocolError{"request Content-Type isn't multipart/form-data"} 77 78 // Deprecated: ErrHeaderTooLong is no longer returned by 79 // anything in the net/http package. Callers should not 80 // compare errors against this variable. 81 ErrHeaderTooLong = &ProtocolError{"header too long"} 82 83 // Deprecated: ErrShortBody is no longer returned by 84 // anything in the net/http package. Callers should not 85 // compare errors against this variable. 86 ErrShortBody = &ProtocolError{"entity body too short"} 87 88 // Deprecated: ErrMissingContentLength is no longer returned by 89 // anything in the net/http package. Callers should not 90 // compare errors against this variable. 91 ErrMissingContentLength = &ProtocolError{"missing ContentLength in HEAD response"} 92 ) 93 94 func badStringError(what, val string) error { return fmt.Errorf("%s %q", what, val) } 95 96 // Headers that Request.Write handles itself and should be skipped. 97 var reqWriteExcludeHeader = map[string]bool{ 98 "Host": true, // not in Header map anyway 99 "User-Agent": true, 100 "Content-Length": true, 101 "Transfer-Encoding": true, 102 "Trailer": true, 103 } 104 105 // A Request represents an HTTP request received by a server 106 // or to be sent by a client. 107 // 108 // The field semantics differ slightly between client and server 109 // usage. In addition to the notes on the fields below, see the 110 // documentation for [Request.Write] and [RoundTripper]. 111 type Request struct { 112 // Method specifies the HTTP method (GET, POST, PUT, etc.). 113 // For client requests, an empty string means GET. 114 Method string 115 116 // URL specifies either the URI being requested (for server 117 // requests) or the URL to access (for client requests). 118 // 119 // For server requests, the URL is parsed from the URI 120 // supplied on the Request-Line as stored in RequestURI. For 121 // most requests, fields other than Path and RawQuery will be 122 // empty. (See RFC 7230, Section 5.3) 123 // 124 // For client requests, the URL's Host specifies the server to 125 // connect to, while the Request's Host field optionally 126 // specifies the Host header value to send in the HTTP 127 // request. 128 URL *url.URL 129 130 // The protocol version for incoming server requests. 131 // 132 // For client requests, these fields are ignored. The HTTP 133 // client code always uses either HTTP/1.1 or HTTP/2. 134 // See the docs on Transport for details. 135 Proto string // "HTTP/1.0" 136 ProtoMajor int // 1 137 ProtoMinor int // 0 138 139 // Header contains the request header fields either received 140 // by the server or to be sent by the client. 141 // 142 // If a server received a request with header lines, 143 // 144 // Host: example.com 145 // accept-encoding: gzip, deflate 146 // Accept-Language: en-us 147 // fOO: Bar 148 // foo: two 149 // 150 // then 151 // 152 // Header = map[string][]string{ 153 // "Accept-Encoding": {"gzip, deflate"}, 154 // "Accept-Language": {"en-us"}, 155 // "Foo": {"Bar", "two"}, 156 // } 157 // 158 // For incoming requests, the Host header is promoted to the 159 // Request.Host field and removed from the Header map. 160 // 161 // HTTP defines that header names are case-insensitive. The 162 // request parser implements this by using CanonicalHeaderKey, 163 // making the first character and any characters following a 164 // hyphen uppercase and the rest lowercase. 165 // 166 // For client requests, certain headers such as Content-Length 167 // and Connection are automatically written when needed and 168 // values in Header may be ignored. See the documentation 169 // for the Request.Write method. 170 Header Header 171 172 // Body is the request's body. 173 // 174 // For client requests, a nil body means the request has no 175 // body, such as a GET request. The HTTP Client's Transport 176 // is responsible for calling the Close method. 177 // 178 // For server requests, the Request Body is always non-nil 179 // but will return EOF immediately when no body is present. 180 // The Server will close the request body. The ServeHTTP 181 // Handler does not need to. 182 // 183 // Body must allow Read to be called concurrently with Close. 184 // In particular, calling Close should unblock a Read waiting 185 // for input. 186 Body io.ReadCloser 187 188 // GetBody defines an optional func to return a new copy of 189 // Body. It is used for client requests when a redirect requires 190 // reading the body more than once. Use of GetBody still 191 // requires setting Body. 192 // 193 // For server requests, it is unused. 194 GetBody func() (io.ReadCloser, error) 195 196 // ContentLength records the length of the associated content. 197 // The value -1 indicates that the length is unknown. 198 // Values >= 0 indicate that the given number of bytes may 199 // be read from Body. 200 // 201 // For client requests, a value of 0 with a non-nil Body is 202 // also treated as unknown. 203 ContentLength int64 204 205 // TransferEncoding lists the transfer encodings from outermost to 206 // innermost. An empty list denotes the "identity" encoding. 207 // TransferEncoding can usually be ignored; chunked encoding is 208 // automatically added and removed as necessary when sending and 209 // receiving requests. 210 TransferEncoding []string 211 212 // Close indicates whether to close the connection after 213 // replying to this request (for servers) or after sending this 214 // request and reading its response (for clients). 215 // 216 // For server requests, the HTTP server handles this automatically 217 // and this field is not needed by Handlers. 218 // 219 // For client requests, setting this field prevents re-use of 220 // TCP connections between requests to the same hosts, as if 221 // Transport.DisableKeepAlives were set. 222 Close bool 223 224 // For server requests, Host specifies the host on which the 225 // URL is sought. For HTTP/1 (per RFC 7230, section 5.4), this 226 // is either the value of the "Host" header or the host name 227 // given in the URL itself. For HTTP/2, it is the value of the 228 // ":authority" pseudo-header field. 229 // It may be of the form "host:port". For international domain 230 // names, Host may be in Punycode or Unicode form. Use 231 // golang.org/x/net/idna to convert it to either format if 232 // needed. 233 // To prevent DNS rebinding attacks, server Handlers should 234 // validate that the Host header has a value for which the 235 // Handler considers itself authoritative. The included 236 // ServeMux supports patterns registered to particular host 237 // names and thus protects its registered Handlers. 238 // 239 // For client requests, Host optionally overrides the Host 240 // header to send. If empty, the Request.Write method uses 241 // the value of URL.Host. Host may contain an international 242 // domain name. 243 Host string 244 245 // Form contains the parsed form data, including both the URL 246 // field's query parameters and the PATCH, POST, or PUT form data. 247 // This field is only available after ParseForm is called. 248 // The HTTP client ignores Form and uses Body instead. 249 Form url.Values 250 251 // PostForm contains the parsed form data from PATCH, POST 252 // or PUT body parameters. 253 // 254 // This field is only available after ParseForm is called. 255 // The HTTP client ignores PostForm and uses Body instead. 256 PostForm url.Values 257 258 // MultipartForm is the parsed multipart form, including file uploads. 259 // This field is only available after ParseMultipartForm is called. 260 // The HTTP client ignores MultipartForm and uses Body instead. 261 MultipartForm *multipart.Form 262 263 // Trailer specifies additional headers that are sent after the request 264 // body. 265 // 266 // For server requests, the Trailer map initially contains only the 267 // trailer keys, with nil values. (The client declares which trailers it 268 // will later send.) While the handler is reading from Body, it must 269 // not reference Trailer. After reading from Body returns EOF, Trailer 270 // can be read again and will contain non-nil values, if they were sent 271 // by the client. 272 // 273 // For client requests, Trailer must be initialized to a map containing 274 // the trailer keys to later send. The values may be nil or their final 275 // values. The ContentLength must be 0 or -1, to send a chunked request. 276 // After the HTTP request is sent the map values can be updated while 277 // the request body is read. Once the body returns EOF, the caller must 278 // not mutate Trailer. 279 // 280 // Few HTTP clients, servers, or proxies support HTTP trailers. 281 Trailer Header 282 283 // RemoteAddr allows HTTP servers and other software to record 284 // the network address that sent the request, usually for 285 // logging. This field is not filled in by ReadRequest and 286 // has no defined format. The HTTP server in this package 287 // sets RemoteAddr to an "IP:port" address before invoking a 288 // handler. 289 // This field is ignored by the HTTP client. 290 RemoteAddr string 291 292 // RequestURI is the unmodified request-target of the 293 // Request-Line (RFC 7230, Section 3.1.1) as sent by the client 294 // to a server. Usually the URL field should be used instead. 295 // It is an error to set this field in an HTTP client request. 296 RequestURI string 297 298 // TLS allows HTTP servers and other software to record 299 // information about the TLS connection on which the request 300 // was received. This field is not filled in by ReadRequest. 301 // The HTTP server in this package sets the field for 302 // TLS-enabled connections before invoking a handler; 303 // otherwise it leaves the field nil. 304 // This field is ignored by the HTTP client. 305 TLS *tls.ConnectionState 306 307 // Cancel is an optional channel whose closure indicates that the client 308 // request should be regarded as canceled. Not all implementations of 309 // RoundTripper may support Cancel. 310 // 311 // For server requests, this field is not applicable. 312 // 313 // Deprecated: Set the Request's context with NewRequestWithContext 314 // instead. If a Request's Cancel field and context are both 315 // set, it is undefined whether Cancel is respected. 316 Cancel <-chan struct{} 317 318 // Response is the redirect response which caused this request 319 // to be created. This field is only populated during client 320 // redirects. 321 Response *Response 322 323 // Pattern is the [ServeMux] pattern that matched the request. 324 // It is empty if the request was not matched against a pattern. 325 Pattern string 326 327 // ctx is either the client or server context. It should only 328 // be modified via copying the whole Request using Clone or WithContext. 329 // It is unexported to prevent people from using Context wrong 330 // and mutating the contexts held by callers of the same request. 331 ctx context.Context 332 333 // The following fields are for requests matched by ServeMux. 334 pat *pattern // the pattern that matched 335 matches []string // values for the matching wildcards in pat 336 otherValues map[string]string // for calls to SetPathValue that don't match a wildcard 337 } 338 339 // Context returns the request's context. To change the context, use 340 // [Request.Clone] or [Request.WithContext]. 341 // 342 // The returned context is always non-nil; it defaults to the 343 // background context. 344 // 345 // For outgoing client requests, the context controls cancellation. 346 // 347 // For incoming server requests, the context is canceled when the 348 // client's connection closes, the request is canceled (with HTTP/2), 349 // or when the ServeHTTP method returns. 350 func (r *Request) Context() context.Context { 351 if r.ctx != nil { 352 return r.ctx 353 } 354 return context.Background() 355 } 356 357 // WithContext returns a shallow copy of r with its context changed 358 // to ctx. The provided ctx must be non-nil. 359 // 360 // For outgoing client request, the context controls the entire 361 // lifetime of a request and its response: obtaining a connection, 362 // sending the request, and reading the response headers and body. 363 // 364 // To create a new request with a context, use [NewRequestWithContext]. 365 // To make a deep copy of a request with a new context, use [Request.Clone]. 366 func (r *Request) WithContext(ctx context.Context) *Request { 367 if ctx == nil { 368 panic("nil context") 369 } 370 r2 := new(Request) 371 *r2 = *r 372 r2.ctx = ctx 373 return r2 374 } 375 376 // Clone returns a deep copy of r with its context changed to ctx. 377 // The provided ctx must be non-nil. 378 // 379 // For an outgoing client request, the context controls the entire 380 // lifetime of a request and its response: obtaining a connection, 381 // sending the request, and reading the response headers and body. 382 func (r *Request) Clone(ctx context.Context) *Request { 383 if ctx == nil { 384 panic("nil context") 385 } 386 r2 := new(Request) 387 *r2 = *r 388 r2.ctx = ctx 389 r2.URL = cloneURL(r.URL) 390 if r.Header != nil { 391 r2.Header = r.Header.Clone() 392 } 393 if r.Trailer != nil { 394 r2.Trailer = r.Trailer.Clone() 395 } 396 if s := r.TransferEncoding; s != nil { 397 s2 := make([]string, len(s)) 398 copy(s2, s) 399 r2.TransferEncoding = s2 400 } 401 r2.Form = cloneURLValues(r.Form) 402 r2.PostForm = cloneURLValues(r.PostForm) 403 r2.MultipartForm = cloneMultipartForm(r.MultipartForm) 404 405 // Copy matches and otherValues. See issue 61410. 406 if s := r.matches; s != nil { 407 s2 := make([]string, len(s)) 408 copy(s2, s) 409 r2.matches = s2 410 } 411 if s := r.otherValues; s != nil { 412 s2 := make(map[string]string, len(s)) 413 for k, v := range s { 414 s2[k] = v 415 } 416 r2.otherValues = s2 417 } 418 return r2 419 } 420 421 // ProtoAtLeast reports whether the HTTP protocol used 422 // in the request is at least major.minor. 423 func (r *Request) ProtoAtLeast(major, minor int) bool { 424 return r.ProtoMajor > major || 425 r.ProtoMajor == major && r.ProtoMinor >= minor 426 } 427 428 // UserAgent returns the client's User-Agent, if sent in the request. 429 func (r *Request) UserAgent() string { 430 return r.Header.Get("User-Agent") 431 } 432 433 // Cookies parses and returns the HTTP cookies sent with the request. 434 func (r *Request) Cookies() []*Cookie { 435 return readCookies(r.Header, "") 436 } 437 438 // CookiesNamed parses and returns the named HTTP cookies sent with the request 439 // or an empty slice if none matched. 440 func (r *Request) CookiesNamed(name string) []*Cookie { 441 if name == "" { 442 return []*Cookie{} 443 } 444 return readCookies(r.Header, name) 445 } 446 447 // ErrNoCookie is returned by Request's Cookie method when a cookie is not found. 448 var ErrNoCookie = errors.New("http: named cookie not present") 449 450 // Cookie returns the named cookie provided in the request or 451 // [ErrNoCookie] if not found. 452 // If multiple cookies match the given name, only one cookie will 453 // be returned. 454 func (r *Request) Cookie(name string) (*Cookie, error) { 455 if name == "" { 456 return nil, ErrNoCookie 457 } 458 for _, c := range readCookies(r.Header, name) { 459 return c, nil 460 } 461 return nil, ErrNoCookie 462 } 463 464 // AddCookie adds a cookie to the request. Per RFC 6265 section 5.4, 465 // AddCookie does not attach more than one [Cookie] header field. That 466 // means all cookies, if any, are written into the same line, 467 // separated by semicolon. 468 // AddCookie only sanitizes c's name and value, and does not sanitize 469 // a Cookie header already present in the request. 470 func (r *Request) AddCookie(c *Cookie) { 471 s := fmt.Sprintf("%s=%s", sanitizeCookieName(c.Name), sanitizeCookieValue(c.Value, c.Quoted)) 472 if c := r.Header.Get("Cookie"); c != "" { 473 r.Header.Set("Cookie", c+"; "+s) 474 } else { 475 r.Header.Set("Cookie", s) 476 } 477 } 478 479 // Referer returns the referring URL, if sent in the request. 480 // 481 // Referer is misspelled as in the request itself, a mistake from the 482 // earliest days of HTTP. This value can also be fetched from the 483 // [Header] map as Header["Referer"]; the benefit of making it available 484 // as a method is that the compiler can diagnose programs that use the 485 // alternate (correct English) spelling req.Referrer() but cannot 486 // diagnose programs that use Header["Referrer"]. 487 func (r *Request) Referer() string { 488 return r.Header.Get("Referer") 489 } 490 491 // multipartByReader is a sentinel value. 492 // Its presence in Request.MultipartForm indicates that parsing of the request 493 // body has been handed off to a MultipartReader instead of ParseMultipartForm. 494 var multipartByReader = &multipart.Form{ 495 Value: make(map[string][]string), 496 File: make(map[string][]*multipart.FileHeader), 497 } 498 499 // MultipartReader returns a MIME multipart reader if this is a 500 // multipart/form-data or a multipart/mixed POST request, else returns nil and an error. 501 // Use this function instead of [Request.ParseMultipartForm] to 502 // process the request body as a stream. 503 func (r *Request) MultipartReader() (*multipart.Reader, error) { 504 if r.MultipartForm == multipartByReader { 505 return nil, errors.New("http: MultipartReader called twice") 506 } 507 if r.MultipartForm != nil { 508 return nil, errors.New("http: multipart handled by ParseMultipartForm") 509 } 510 r.MultipartForm = multipartByReader 511 return r.multipartReader(true) 512 } 513 514 func (r *Request) multipartReader(allowMixed bool) (*multipart.Reader, error) { 515 v := r.Header.Get("Content-Type") 516 if v == "" { 517 return nil, ErrNotMultipart 518 } 519 if r.Body == nil { 520 return nil, errors.New("missing form body") 521 } 522 d, params, err := mime.ParseMediaType(v) 523 if err != nil || !(d == "multipart/form-data" || allowMixed && d == "multipart/mixed") { 524 return nil, ErrNotMultipart 525 } 526 boundary, ok := params["boundary"] 527 if !ok { 528 return nil, ErrMissingBoundary 529 } 530 return multipart.NewReader(r.Body, boundary), nil 531 } 532 533 // isH2Upgrade reports whether r represents the http2 "client preface" 534 // magic string. 535 func (r *Request) isH2Upgrade() bool { 536 return r.Method == "PRI" && len(r.Header) == 0 && r.URL.Path == "*" && r.Proto == "HTTP/2.0" 537 } 538 539 // Return value if nonempty, def otherwise. 540 func valueOrDefault(value, def string) string { 541 if value != "" { 542 return value 543 } 544 return def 545 } 546 547 // NOTE: This is not intended to reflect the actual Go version being used. 548 // It was changed at the time of Go 1.1 release because the former User-Agent 549 // had ended up blocked by some intrusion detection systems. 550 // See https://codereview.appspot.com/7532043. 551 const defaultUserAgent = "Go-http-client/1.1" 552 553 // Write writes an HTTP/1.1 request, which is the header and body, in wire format. 554 // This method consults the following fields of the request: 555 // 556 // Host 557 // URL 558 // Method (defaults to "GET") 559 // Header 560 // ContentLength 561 // TransferEncoding 562 // Body 563 // 564 // If Body is present, Content-Length is <= 0 and [Request.TransferEncoding] 565 // hasn't been set to "identity", Write adds "Transfer-Encoding: 566 // chunked" to the header. Body is closed after it is sent. 567 func (r *Request) Write(w io.Writer) error { 568 return r.write(w, false, nil, nil) 569 } 570 571 // WriteProxy is like [Request.Write] but writes the request in the form 572 // expected by an HTTP proxy. In particular, [Request.WriteProxy] writes the 573 // initial Request-URI line of the request with an absolute URI, per 574 // section 5.3 of RFC 7230, including the scheme and host. 575 // In either case, WriteProxy also writes a Host header, using 576 // either r.Host or r.URL.Host. 577 func (r *Request) WriteProxy(w io.Writer) error { 578 return r.write(w, true, nil, nil) 579 } 580 581 // errMissingHost is returned by Write when there is no Host or URL present in 582 // the Request. 583 var errMissingHost = errors.New("http: Request.Write on Request with no Host or URL set") 584 585 // extraHeaders may be nil 586 // waitForContinue may be nil 587 // always closes body 588 func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitForContinue func() bool) (err error) { 589 trace := httptrace.ContextClientTrace(r.Context()) 590 if trace != nil && trace.WroteRequest != nil { 591 defer func() { 592 trace.WroteRequest(httptrace.WroteRequestInfo{ 593 Err: err, 594 }) 595 }() 596 } 597 closed := false 598 defer func() { 599 if closed { 600 return 601 } 602 if closeErr := r.closeBody(); closeErr != nil && err == nil { 603 err = closeErr 604 } 605 }() 606 607 // Find the target host. Prefer the Host: header, but if that 608 // is not given, use the host from the request URL. 609 // 610 // Clean the host, in case it arrives with unexpected stuff in it. 611 host := r.Host 612 if host == "" { 613 if r.URL == nil { 614 return errMissingHost 615 } 616 host = r.URL.Host 617 } 618 host, err = httpguts.PunycodeHostPort(host) 619 if err != nil { 620 return err 621 } 622 // Validate that the Host header is a valid header in general, 623 // but don't validate the host itself. This is sufficient to avoid 624 // header or request smuggling via the Host field. 625 // The server can (and will, if it's a net/http server) reject 626 // the request if it doesn't consider the host valid. 627 if !httpguts.ValidHostHeader(host) { 628 // Historically, we would truncate the Host header after '/' or ' '. 629 // Some users have relied on this truncation to convert a network 630 // address such as Unix domain socket path into a valid, ignored 631 // Host header (see https://go.dev/issue/61431). 632 // 633 // We don't preserve the truncation, because sending an altered 634 // header field opens a smuggling vector. Instead, zero out the 635 // Host header entirely if it isn't valid. (An empty Host is valid; 636 // see RFC 9112 Section 3.2.) 637 // 638 // Return an error if we're sending to a proxy, since the proxy 639 // probably can't do anything useful with an empty Host header. 640 if !usingProxy { 641 host = "" 642 } else { 643 return errors.New("http: invalid Host header") 644 } 645 } 646 647 // According to RFC 6874, an HTTP client, proxy, or other 648 // intermediary must remove any IPv6 zone identifier attached 649 // to an outgoing URI. 650 host = removeZone(host) 651 652 ruri := r.URL.RequestURI() 653 if usingProxy && r.URL.Scheme != "" && r.URL.Opaque == "" { 654 ruri = r.URL.Scheme + "://" + host + ruri 655 } else if r.Method == "CONNECT" && r.URL.Path == "" { 656 // CONNECT requests normally give just the host and port, not a full URL. 657 ruri = host 658 if r.URL.Opaque != "" { 659 ruri = r.URL.Opaque 660 } 661 } 662 if stringContainsCTLByte(ruri) { 663 return errors.New("net/http: can't write control character in Request.URL") 664 } 665 // TODO: validate r.Method too? At least it's less likely to 666 // come from an attacker (more likely to be a constant in 667 // code). 668 669 // Wrap the writer in a bufio Writer if it's not already buffered. 670 // Don't always call NewWriter, as that forces a bytes.Buffer 671 // and other small bufio Writers to have a minimum 4k buffer 672 // size. 673 var bw *bufio.Writer 674 if _, ok := w.(io.ByteWriter); !ok { 675 bw = bufio.NewWriter(w) 676 w = bw 677 } 678 679 _, err = fmt.Fprintf(w, "%s %s HTTP/1.1\r\n", valueOrDefault(r.Method, "GET"), ruri) 680 if err != nil { 681 return err 682 } 683 684 // Header lines 685 _, err = fmt.Fprintf(w, "Host: %s\r\n", host) 686 if err != nil { 687 return err 688 } 689 if trace != nil && trace.WroteHeaderField != nil { 690 trace.WroteHeaderField("Host", []string{host}) 691 } 692 693 // Use the defaultUserAgent unless the Header contains one, which 694 // may be blank to not send the header. 695 userAgent := defaultUserAgent 696 if r.Header.has("User-Agent") { 697 userAgent = r.Header.Get("User-Agent") 698 } 699 if userAgent != "" { 700 userAgent = headerNewlineToSpace.Replace(userAgent) 701 userAgent = textproto.TrimString(userAgent) 702 _, err = fmt.Fprintf(w, "User-Agent: %s\r\n", userAgent) 703 if err != nil { 704 return err 705 } 706 if trace != nil && trace.WroteHeaderField != nil { 707 trace.WroteHeaderField("User-Agent", []string{userAgent}) 708 } 709 } 710 711 // Process Body,ContentLength,Close,Trailer 712 tw, err := newTransferWriter(r) 713 if err != nil { 714 return err 715 } 716 err = tw.writeHeader(w, trace) 717 if err != nil { 718 return err 719 } 720 721 err = r.Header.writeSubset(w, reqWriteExcludeHeader, trace) 722 if err != nil { 723 return err 724 } 725 726 if extraHeaders != nil { 727 err = extraHeaders.write(w, trace) 728 if err != nil { 729 return err 730 } 731 } 732 733 _, err = io.WriteString(w, "\r\n") 734 if err != nil { 735 return err 736 } 737 738 if trace != nil && trace.WroteHeaders != nil { 739 trace.WroteHeaders() 740 } 741 742 // Flush and wait for 100-continue if expected. 743 if waitForContinue != nil { 744 if bw, ok := w.(*bufio.Writer); ok { 745 err = bw.Flush() 746 if err != nil { 747 return err 748 } 749 } 750 if trace != nil && trace.Wait100Continue != nil { 751 trace.Wait100Continue() 752 } 753 if !waitForContinue() { 754 closed = true 755 r.closeBody() 756 return nil 757 } 758 } 759 760 if bw, ok := w.(*bufio.Writer); ok && tw.FlushHeaders { 761 if err := bw.Flush(); err != nil { 762 return err 763 } 764 } 765 766 // Write body and trailer 767 closed = true 768 err = tw.writeBody(w) 769 if err != nil { 770 if tw.bodyReadError == err { 771 err = requestBodyReadError{err} 772 } 773 return err 774 } 775 776 if bw != nil { 777 return bw.Flush() 778 } 779 return nil 780 } 781 782 // requestBodyReadError wraps an error from (*Request).write to indicate 783 // that the error came from a Read call on the Request.Body. 784 // This error type should not escape the net/http package to users. 785 type requestBodyReadError struct{ error } 786 787 func idnaASCII(v string) (string, error) { 788 // TODO: Consider removing this check after verifying performance is okay. 789 // Right now punycode verification, length checks, context checks, and the 790 // permissible character tests are all omitted. It also prevents the ToASCII 791 // call from salvaging an invalid IDN, when possible. As a result it may be 792 // possible to have two IDNs that appear identical to the user where the 793 // ASCII-only version causes an error downstream whereas the non-ASCII 794 // version does not. 795 // Note that for correct ASCII IDNs ToASCII will only do considerably more 796 // work, but it will not cause an allocation. 797 if ascii.Is(v) { 798 return v, nil 799 } 800 return idna.Lookup.ToASCII(v) 801 } 802 803 // removeZone removes IPv6 zone identifier from host. 804 // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080" 805 func removeZone(host string) string { 806 if !strings.HasPrefix(host, "[") { 807 return host 808 } 809 i := strings.LastIndex(host, "]") 810 if i < 0 { 811 return host 812 } 813 j := strings.LastIndex(host[:i], "%") 814 if j < 0 { 815 return host 816 } 817 return host[:j] + host[i:] 818 } 819 820 // ParseHTTPVersion parses an HTTP version string according to RFC 7230, section 2.6. 821 // "HTTP/1.0" returns (1, 0, true). Note that strings without 822 // a minor version, such as "HTTP/2", are not valid. 823 func ParseHTTPVersion(vers string) (major, minor int, ok bool) { 824 switch vers { 825 case "HTTP/1.1": 826 return 1, 1, true 827 case "HTTP/1.0": 828 return 1, 0, true 829 } 830 if !strings.HasPrefix(vers, "HTTP/") { 831 return 0, 0, false 832 } 833 if len(vers) != len("HTTP/X.Y") { 834 return 0, 0, false 835 } 836 if vers[6] != '.' { 837 return 0, 0, false 838 } 839 maj, err := strconv.ParseUint(vers[5:6], 10, 0) 840 if err != nil { 841 return 0, 0, false 842 } 843 min, err := strconv.ParseUint(vers[7:8], 10, 0) 844 if err != nil { 845 return 0, 0, false 846 } 847 return int(maj), int(min), true 848 } 849 850 func validMethod(method string) bool { 851 /* 852 Method = "OPTIONS" ; Section 9.2 853 | "GET" ; Section 9.3 854 | "HEAD" ; Section 9.4 855 | "POST" ; Section 9.5 856 | "PUT" ; Section 9.6 857 | "DELETE" ; Section 9.7 858 | "TRACE" ; Section 9.8 859 | "CONNECT" ; Section 9.9 860 | extension-method 861 extension-method = token 862 token = 1*<any CHAR except CTLs or separators> 863 */ 864 return len(method) > 0 && strings.IndexFunc(method, isNotToken) == -1 865 } 866 867 // NewRequest wraps [NewRequestWithContext] using [context.Background]. 868 func NewRequest(method, url string, body io.Reader) (*Request, error) { 869 return NewRequestWithContext(context.Background(), method, url, body) 870 } 871 872 // NewRequestWithContext returns a new [Request] given a method, URL, and 873 // optional body. 874 // 875 // If the provided body is also an [io.Closer], the returned 876 // [Request.Body] is set to body and will be closed (possibly 877 // asynchronously) by the Client methods Do, Post, and PostForm, 878 // and [Transport.RoundTrip]. 879 // 880 // NewRequestWithContext returns a Request suitable for use with 881 // [Client.Do] or [Transport.RoundTrip]. To create a request for use with 882 // testing a Server Handler, either use the [NewRequest] function in the 883 // net/http/httptest package, use [ReadRequest], or manually update the 884 // Request fields. For an outgoing client request, the context 885 // controls the entire lifetime of a request and its response: 886 // obtaining a connection, sending the request, and reading the 887 // response headers and body. See the Request type's documentation for 888 // the difference between inbound and outbound request fields. 889 // 890 // If body is of type [*bytes.Buffer], [*bytes.Reader], or 891 // [*strings.Reader], the returned request's ContentLength is set to its 892 // exact value (instead of -1), GetBody is populated (so 307 and 308 893 // redirects can replay the body), and Body is set to [NoBody] if the 894 // ContentLength is 0. 895 func NewRequestWithContext(ctx context.Context, method, url string, body io.Reader) (*Request, error) { 896 if method == "" { 897 // We document that "" means "GET" for Request.Method, and people have 898 // relied on that from NewRequest, so keep that working. 899 // We still enforce validMethod for non-empty methods. 900 method = "GET" 901 } 902 if !validMethod(method) { 903 return nil, fmt.Errorf("net/http: invalid method %q", method) 904 } 905 if ctx == nil { 906 return nil, errors.New("net/http: nil Context") 907 } 908 u, err := urlpkg.Parse(url) 909 if err != nil { 910 return nil, err 911 } 912 rc, ok := body.(io.ReadCloser) 913 if !ok && body != nil { 914 rc = io.NopCloser(body) 915 } 916 // The host's colon:port should be normalized. See Issue 14836. 917 u.Host = removeEmptyPort(u.Host) 918 req := &Request{ 919 ctx: ctx, 920 Method: method, 921 URL: u, 922 Proto: "HTTP/1.1", 923 ProtoMajor: 1, 924 ProtoMinor: 1, 925 Header: make(Header), 926 Body: rc, 927 Host: u.Host, 928 } 929 if body != nil { 930 switch v := body.(type) { 931 case *bytes.Buffer: 932 req.ContentLength = int64(v.Len()) 933 buf := v.Bytes() 934 req.GetBody = func() (io.ReadCloser, error) { 935 r := bytes.NewReader(buf) 936 return io.NopCloser(r), nil 937 } 938 case *bytes.Reader: 939 req.ContentLength = int64(v.Len()) 940 snapshot := *v 941 req.GetBody = func() (io.ReadCloser, error) { 942 r := snapshot 943 return io.NopCloser(&r), nil 944 } 945 case *strings.Reader: 946 req.ContentLength = int64(v.Len()) 947 snapshot := *v 948 req.GetBody = func() (io.ReadCloser, error) { 949 r := snapshot 950 return io.NopCloser(&r), nil 951 } 952 default: 953 // This is where we'd set it to -1 (at least 954 // if body != NoBody) to mean unknown, but 955 // that broke people during the Go 1.8 testing 956 // period. People depend on it being 0 I 957 // guess. Maybe retry later. See Issue 18117. 958 } 959 // For client requests, Request.ContentLength of 0 960 // means either actually 0, or unknown. The only way 961 // to explicitly say that the ContentLength is zero is 962 // to set the Body to nil. But turns out too much code 963 // depends on NewRequest returning a non-nil Body, 964 // so we use a well-known ReadCloser variable instead 965 // and have the http package also treat that sentinel 966 // variable to mean explicitly zero. 967 if req.GetBody != nil && req.ContentLength == 0 { 968 req.Body = NoBody 969 req.GetBody = func() (io.ReadCloser, error) { return NoBody, nil } 970 } 971 } 972 973 return req, nil 974 } 975 976 // BasicAuth returns the username and password provided in the request's 977 // Authorization header, if the request uses HTTP Basic Authentication. 978 // See RFC 2617, Section 2. 979 func (r *Request) BasicAuth() (username, password string, ok bool) { 980 auth := r.Header.Get("Authorization") 981 if auth == "" { 982 return "", "", false 983 } 984 return parseBasicAuth(auth) 985 } 986 987 // parseBasicAuth parses an HTTP Basic Authentication string. 988 // "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" returns ("Aladdin", "open sesame", true). 989 func parseBasicAuth(auth string) (username, password string, ok bool) { 990 const prefix = "Basic " 991 // Case insensitive prefix match. See Issue 22736. 992 if len(auth) < len(prefix) || !ascii.EqualFold(auth[:len(prefix)], prefix) { 993 return "", "", false 994 } 995 c, err := base64.StdEncoding.DecodeString(auth[len(prefix):]) 996 if err != nil { 997 return "", "", false 998 } 999 cs := string(c) 1000 username, password, ok = strings.Cut(cs, ":") 1001 if !ok { 1002 return "", "", false 1003 } 1004 return username, password, true 1005 } 1006 1007 // SetBasicAuth sets the request's Authorization header to use HTTP 1008 // Basic Authentication with the provided username and password. 1009 // 1010 // With HTTP Basic Authentication the provided username and password 1011 // are not encrypted. It should generally only be used in an HTTPS 1012 // request. 1013 // 1014 // The username may not contain a colon. Some protocols may impose 1015 // additional requirements on pre-escaping the username and 1016 // password. For instance, when used with OAuth2, both arguments must 1017 // be URL encoded first with [url.QueryEscape]. 1018 func (r *Request) SetBasicAuth(username, password string) { 1019 r.Header.Set("Authorization", "Basic "+basicAuth(username, password)) 1020 } 1021 1022 // parseRequestLine parses "GET /foo HTTP/1.1" into its three parts. 1023 func parseRequestLine(line string) (method, requestURI, proto string, ok bool) { 1024 method, rest, ok1 := strings.Cut(line, " ") 1025 requestURI, proto, ok2 := strings.Cut(rest, " ") 1026 if !ok1 || !ok2 { 1027 return "", "", "", false 1028 } 1029 return method, requestURI, proto, true 1030 } 1031 1032 var textprotoReaderPool sync.Pool 1033 1034 func newTextprotoReader(br *bufio.Reader) *textproto.Reader { 1035 if v := textprotoReaderPool.Get(); v != nil { 1036 tr := v.(*textproto.Reader) 1037 tr.R = br 1038 return tr 1039 } 1040 return textproto.NewReader(br) 1041 } 1042 1043 func putTextprotoReader(r *textproto.Reader) { 1044 r.R = nil 1045 textprotoReaderPool.Put(r) 1046 } 1047 1048 // ReadRequest reads and parses an incoming request from b. 1049 // 1050 // ReadRequest is a low-level function and should only be used for 1051 // specialized applications; most code should use the [Server] to read 1052 // requests and handle them via the [Handler] interface. ReadRequest 1053 // only supports HTTP/1.x requests. For HTTP/2, use golang.org/x/net/http2. 1054 func ReadRequest(b *bufio.Reader) (*Request, error) { 1055 req, err := readRequest(b) 1056 if err != nil { 1057 return nil, err 1058 } 1059 1060 delete(req.Header, "Host") 1061 return req, err 1062 } 1063 1064 func readRequest(b *bufio.Reader) (req *Request, err error) { 1065 tp := newTextprotoReader(b) 1066 defer putTextprotoReader(tp) 1067 1068 req = new(Request) 1069 1070 // First line: GET /index.html HTTP/1.0 1071 var s string 1072 if s, err = tp.ReadLine(); err != nil { 1073 return nil, err 1074 } 1075 defer func() { 1076 if err == io.EOF { 1077 err = io.ErrUnexpectedEOF 1078 } 1079 }() 1080 1081 var ok bool 1082 req.Method, req.RequestURI, req.Proto, ok = parseRequestLine(s) 1083 if !ok { 1084 return nil, badStringError("malformed HTTP request", s) 1085 } 1086 if !validMethod(req.Method) { 1087 return nil, badStringError("invalid method", req.Method) 1088 } 1089 rawurl := req.RequestURI 1090 if req.ProtoMajor, req.ProtoMinor, ok = ParseHTTPVersion(req.Proto); !ok { 1091 return nil, badStringError("malformed HTTP version", req.Proto) 1092 } 1093 1094 // CONNECT requests are used two different ways, and neither uses a full URL: 1095 // The standard use is to tunnel HTTPS through an HTTP proxy. 1096 // It looks like "CONNECT www.google.com:443 HTTP/1.1", and the parameter is 1097 // just the authority section of a URL. This information should go in req.URL.Host. 1098 // 1099 // The net/rpc package also uses CONNECT, but there the parameter is a path 1100 // that starts with a slash. It can be parsed with the regular URL parser, 1101 // and the path will end up in req.URL.Path, where it needs to be in order for 1102 // RPC to work. 1103 justAuthority := req.Method == "CONNECT" && !strings.HasPrefix(rawurl, "/") 1104 if justAuthority { 1105 rawurl = "http://" + rawurl 1106 } 1107 1108 if req.URL, err = url.ParseRequestURI(rawurl); err != nil { 1109 return nil, err 1110 } 1111 1112 if justAuthority { 1113 // Strip the bogus "http://" back off. 1114 req.URL.Scheme = "" 1115 } 1116 1117 // Subsequent lines: Key: value. 1118 mimeHeader, err := tp.ReadMIMEHeader() 1119 if err != nil { 1120 return nil, err 1121 } 1122 req.Header = Header(mimeHeader) 1123 if len(req.Header["Host"]) > 1 { 1124 return nil, fmt.Errorf("too many Host headers") 1125 } 1126 1127 // RFC 7230, section 5.3: Must treat 1128 // GET /index.html HTTP/1.1 1129 // Host: www.google.com 1130 // and 1131 // GET http://www.google.com/index.html HTTP/1.1 1132 // Host: doesntmatter 1133 // the same. In the second case, any Host line is ignored. 1134 req.Host = req.URL.Host 1135 if req.Host == "" { 1136 req.Host = req.Header.get("Host") 1137 } 1138 1139 fixPragmaCacheControl(req.Header) 1140 1141 req.Close = shouldClose(req.ProtoMajor, req.ProtoMinor, req.Header, false) 1142 1143 err = readTransfer(req, b) 1144 if err != nil { 1145 return nil, err 1146 } 1147 1148 if req.isH2Upgrade() { 1149 // Because it's neither chunked, nor declared: 1150 req.ContentLength = -1 1151 1152 // We want to give handlers a chance to hijack the 1153 // connection, but we need to prevent the Server from 1154 // dealing with the connection further if it's not 1155 // hijacked. Set Close to ensure that: 1156 req.Close = true 1157 } 1158 return req, nil 1159 } 1160 1161 // MaxBytesReader is similar to [io.LimitReader] but is intended for 1162 // limiting the size of incoming request bodies. In contrast to 1163 // io.LimitReader, MaxBytesReader's result is a ReadCloser, returns a 1164 // non-nil error of type [*MaxBytesError] for a Read beyond the limit, 1165 // and closes the underlying reader when its Close method is called. 1166 // 1167 // MaxBytesReader prevents clients from accidentally or maliciously 1168 // sending a large request and wasting server resources. If possible, 1169 // it tells the [ResponseWriter] to close the connection after the limit 1170 // has been reached. 1171 func MaxBytesReader(w ResponseWriter, r io.ReadCloser, n int64) io.ReadCloser { 1172 if n < 0 { // Treat negative limits as equivalent to 0. 1173 n = 0 1174 } 1175 return &maxBytesReader{w: w, r: r, i: n, n: n} 1176 } 1177 1178 // MaxBytesError is returned by [MaxBytesReader] when its read limit is exceeded. 1179 type MaxBytesError struct { 1180 Limit int64 1181 } 1182 1183 func (e *MaxBytesError) Error() string { 1184 // Due to Hyrum's law, this text cannot be changed. 1185 return "http: request body too large" 1186 } 1187 1188 type maxBytesReader struct { 1189 w ResponseWriter 1190 r io.ReadCloser // underlying reader 1191 i int64 // max bytes initially, for MaxBytesError 1192 n int64 // max bytes remaining 1193 err error // sticky error 1194 } 1195 1196 func (l *maxBytesReader) Read(p []byte) (n int, err error) { 1197 if l.err != nil { 1198 return 0, l.err 1199 } 1200 if len(p) == 0 { 1201 return 0, nil 1202 } 1203 // If they asked for a 32KB byte read but only 5 bytes are 1204 // remaining, no need to read 32KB. 6 bytes will answer the 1205 // question of the whether we hit the limit or go past it. 1206 // 0 < len(p) < 2^63 1207 if int64(len(p))-1 > l.n { 1208 p = p[:l.n+1] 1209 } 1210 n, err = l.r.Read(p) 1211 1212 if int64(n) <= l.n { 1213 l.n -= int64(n) 1214 l.err = err 1215 return n, err 1216 } 1217 1218 n = int(l.n) 1219 l.n = 0 1220 1221 // The server code and client code both use 1222 // maxBytesReader. This "requestTooLarge" check is 1223 // only used by the server code. To prevent binaries 1224 // which only using the HTTP Client code (such as 1225 // cmd/go) from also linking in the HTTP server, don't 1226 // use a static type assertion to the server 1227 // "*response" type. Check this interface instead: 1228 type requestTooLarger interface { 1229 requestTooLarge() 1230 } 1231 if res, ok := l.w.(requestTooLarger); ok { 1232 res.requestTooLarge() 1233 } 1234 l.err = &MaxBytesError{l.i} 1235 return n, l.err 1236 } 1237 1238 func (l *maxBytesReader) Close() error { 1239 return l.r.Close() 1240 } 1241 1242 func copyValues(dst, src url.Values) { 1243 for k, vs := range src { 1244 dst[k] = append(dst[k], vs...) 1245 } 1246 } 1247 1248 func parsePostForm(r *Request) (vs url.Values, err error) { 1249 if r.Body == nil { 1250 err = errors.New("missing form body") 1251 return 1252 } 1253 ct := r.Header.Get("Content-Type") 1254 // RFC 7231, section 3.1.1.5 - empty type 1255 // MAY be treated as application/octet-stream 1256 if ct == "" { 1257 ct = "application/octet-stream" 1258 } 1259 ct, _, err = mime.ParseMediaType(ct) 1260 switch { 1261 case ct == "application/x-www-form-urlencoded": 1262 var reader io.Reader = r.Body 1263 maxFormSize := int64(1<<63 - 1) 1264 if _, ok := r.Body.(*maxBytesReader); !ok { 1265 maxFormSize = int64(10 << 20) // 10 MB is a lot of text. 1266 reader = io.LimitReader(r.Body, maxFormSize+1) 1267 } 1268 b, e := io.ReadAll(reader) 1269 if e != nil { 1270 if err == nil { 1271 err = e 1272 } 1273 break 1274 } 1275 if int64(len(b)) > maxFormSize { 1276 err = errors.New("http: POST too large") 1277 return 1278 } 1279 vs, e = url.ParseQuery(string(b)) 1280 if err == nil { 1281 err = e 1282 } 1283 case ct == "multipart/form-data": 1284 // handled by ParseMultipartForm (which is calling us, or should be) 1285 // TODO(bradfitz): there are too many possible 1286 // orders to call too many functions here. 1287 // Clean this up and write more tests. 1288 // request_test.go contains the start of this, 1289 // in TestParseMultipartFormOrder and others. 1290 } 1291 return 1292 } 1293 1294 // ParseForm populates r.Form and r.PostForm. 1295 // 1296 // For all requests, ParseForm parses the raw query from the URL and updates 1297 // r.Form. 1298 // 1299 // For POST, PUT, and PATCH requests, it also reads the request body, parses it 1300 // as a form and puts the results into both r.PostForm and r.Form. Request body 1301 // parameters take precedence over URL query string values in r.Form. 1302 // 1303 // If the request Body's size has not already been limited by [MaxBytesReader], 1304 // the size is capped at 10MB. 1305 // 1306 // For other HTTP methods, or when the Content-Type is not 1307 // application/x-www-form-urlencoded, the request Body is not read, and 1308 // r.PostForm is initialized to a non-nil, empty value. 1309 // 1310 // [Request.ParseMultipartForm] calls ParseForm automatically. 1311 // ParseForm is idempotent. 1312 func (r *Request) ParseForm() error { 1313 var err error 1314 if r.PostForm == nil { 1315 if r.Method == "POST" || r.Method == "PUT" || r.Method == "PATCH" { 1316 r.PostForm, err = parsePostForm(r) 1317 } 1318 if r.PostForm == nil { 1319 r.PostForm = make(url.Values) 1320 } 1321 } 1322 if r.Form == nil { 1323 if len(r.PostForm) > 0 { 1324 r.Form = make(url.Values) 1325 copyValues(r.Form, r.PostForm) 1326 } 1327 var newValues url.Values 1328 if r.URL != nil { 1329 var e error 1330 newValues, e = url.ParseQuery(r.URL.RawQuery) 1331 if err == nil { 1332 err = e 1333 } 1334 } 1335 if newValues == nil { 1336 newValues = make(url.Values) 1337 } 1338 if r.Form == nil { 1339 r.Form = newValues 1340 } else { 1341 copyValues(r.Form, newValues) 1342 } 1343 } 1344 return err 1345 } 1346 1347 // ParseMultipartForm parses a request body as multipart/form-data. 1348 // The whole request body is parsed and up to a total of maxMemory bytes of 1349 // its file parts are stored in memory, with the remainder stored on 1350 // disk in temporary files. 1351 // ParseMultipartForm calls [Request.ParseForm] if necessary. 1352 // If ParseForm returns an error, ParseMultipartForm returns it but also 1353 // continues parsing the request body. 1354 // After one call to ParseMultipartForm, subsequent calls have no effect. 1355 func (r *Request) ParseMultipartForm(maxMemory int64) error { 1356 if r.MultipartForm == multipartByReader { 1357 return errors.New("http: multipart handled by MultipartReader") 1358 } 1359 var parseFormErr error 1360 if r.Form == nil { 1361 // Let errors in ParseForm fall through, and just 1362 // return it at the end. 1363 parseFormErr = r.ParseForm() 1364 } 1365 if r.MultipartForm != nil { 1366 return nil 1367 } 1368 1369 mr, err := r.multipartReader(false) 1370 if err != nil { 1371 return err 1372 } 1373 1374 f, err := mr.ReadForm(maxMemory) 1375 if err != nil { 1376 return err 1377 } 1378 1379 if r.PostForm == nil { 1380 r.PostForm = make(url.Values) 1381 } 1382 for k, v := range f.Value { 1383 r.Form[k] = append(r.Form[k], v...) 1384 // r.PostForm should also be populated. See Issue 9305. 1385 r.PostForm[k] = append(r.PostForm[k], v...) 1386 } 1387 1388 r.MultipartForm = f 1389 1390 return parseFormErr 1391 } 1392 1393 // FormValue returns the first value for the named component of the query. 1394 // The precedence order: 1395 // 1. application/x-www-form-urlencoded form body (POST, PUT, PATCH only) 1396 // 2. query parameters (always) 1397 // 3. multipart/form-data form body (always) 1398 // 1399 // FormValue calls [Request.ParseMultipartForm] and [Request.ParseForm] 1400 // if necessary and ignores any errors returned by these functions. 1401 // If key is not present, FormValue returns the empty string. 1402 // To access multiple values of the same key, call ParseForm and 1403 // then inspect [Request.Form] directly. 1404 func (r *Request) FormValue(key string) string { 1405 if r.Form == nil { 1406 r.ParseMultipartForm(defaultMaxMemory) 1407 } 1408 if vs := r.Form[key]; len(vs) > 0 { 1409 return vs[0] 1410 } 1411 return "" 1412 } 1413 1414 // PostFormValue returns the first value for the named component of the POST, 1415 // PUT, or PATCH request body. URL query parameters are ignored. 1416 // PostFormValue calls [Request.ParseMultipartForm] and [Request.ParseForm] if necessary and ignores 1417 // any errors returned by these functions. 1418 // If key is not present, PostFormValue returns the empty string. 1419 func (r *Request) PostFormValue(key string) string { 1420 if r.PostForm == nil { 1421 r.ParseMultipartForm(defaultMaxMemory) 1422 } 1423 if vs := r.PostForm[key]; len(vs) > 0 { 1424 return vs[0] 1425 } 1426 return "" 1427 } 1428 1429 // FormFile returns the first file for the provided form key. 1430 // FormFile calls [Request.ParseMultipartForm] and [Request.ParseForm] if necessary. 1431 func (r *Request) FormFile(key string) (multipart.File, *multipart.FileHeader, error) { 1432 if r.MultipartForm == multipartByReader { 1433 return nil, nil, errors.New("http: multipart handled by MultipartReader") 1434 } 1435 if r.MultipartForm == nil { 1436 err := r.ParseMultipartForm(defaultMaxMemory) 1437 if err != nil { 1438 return nil, nil, err 1439 } 1440 } 1441 if r.MultipartForm != nil && r.MultipartForm.File != nil { 1442 if fhs := r.MultipartForm.File[key]; len(fhs) > 0 { 1443 f, err := fhs[0].Open() 1444 return f, fhs[0], err 1445 } 1446 } 1447 return nil, nil, ErrMissingFile 1448 } 1449 1450 // PathValue returns the value for the named path wildcard in the [ServeMux] pattern 1451 // that matched the request. 1452 // It returns the empty string if the request was not matched against a pattern 1453 // or there is no such wildcard in the pattern. 1454 func (r *Request) PathValue(name string) string { 1455 if i := r.patIndex(name); i >= 0 { 1456 return r.matches[i] 1457 } 1458 return r.otherValues[name] 1459 } 1460 1461 // SetPathValue sets name to value, so that subsequent calls to r.PathValue(name) 1462 // return value. 1463 func (r *Request) SetPathValue(name, value string) { 1464 if i := r.patIndex(name); i >= 0 { 1465 r.matches[i] = value 1466 } else { 1467 if r.otherValues == nil { 1468 r.otherValues = map[string]string{} 1469 } 1470 r.otherValues[name] = value 1471 } 1472 } 1473 1474 // patIndex returns the index of name in the list of named wildcards of the 1475 // request's pattern, or -1 if there is no such name. 1476 func (r *Request) patIndex(name string) int { 1477 // The linear search seems expensive compared to a map, but just creating the map 1478 // takes a lot of time, and most patterns will just have a couple of wildcards. 1479 if r.pat == nil { 1480 return -1 1481 } 1482 i := 0 1483 for _, seg := range r.pat.segments { 1484 if seg.wild && seg.s != "" { 1485 if name == seg.s { 1486 return i 1487 } 1488 i++ 1489 } 1490 } 1491 return -1 1492 } 1493 1494 func (r *Request) expectsContinue() bool { 1495 return hasToken(r.Header.get("Expect"), "100-continue") 1496 } 1497 1498 func (r *Request) wantsHttp10KeepAlive() bool { 1499 if r.ProtoMajor != 1 || r.ProtoMinor != 0 { 1500 return false 1501 } 1502 return hasToken(r.Header.get("Connection"), "keep-alive") 1503 } 1504 1505 func (r *Request) wantsClose() bool { 1506 if r.Close { 1507 return true 1508 } 1509 return hasToken(r.Header.get("Connection"), "close") 1510 } 1511 1512 func (r *Request) closeBody() error { 1513 if r.Body == nil { 1514 return nil 1515 } 1516 return r.Body.Close() 1517 } 1518 1519 func (r *Request) isReplayable() bool { 1520 if r.Body == nil || r.Body == NoBody || r.GetBody != nil { 1521 switch valueOrDefault(r.Method, "GET") { 1522 case "GET", "HEAD", "OPTIONS", "TRACE": 1523 return true 1524 } 1525 // The Idempotency-Key, while non-standard, is widely used to 1526 // mean a POST or other request is idempotent. See 1527 // https://golang.org/issue/19943#issuecomment-421092421 1528 if r.Header.has("Idempotency-Key") || r.Header.has("X-Idempotency-Key") { 1529 return true 1530 } 1531 } 1532 return false 1533 } 1534 1535 // outgoingLength reports the Content-Length of this outgoing (Client) request. 1536 // It maps 0 into -1 (unknown) when the Body is non-nil. 1537 func (r *Request) outgoingLength() int64 { 1538 if r.Body == nil || r.Body == NoBody { 1539 return 0 1540 } 1541 if r.ContentLength != 0 { 1542 return r.ContentLength 1543 } 1544 return -1 1545 } 1546 1547 // requestMethodUsuallyLacksBody reports whether the given request 1548 // method is one that typically does not involve a request body. 1549 // This is used by the Transport (via 1550 // transferWriter.shouldSendChunkedRequestBody) to determine whether 1551 // we try to test-read a byte from a non-nil Request.Body when 1552 // Request.outgoingLength() returns -1. See the comments in 1553 // shouldSendChunkedRequestBody. 1554 func requestMethodUsuallyLacksBody(method string) bool { 1555 switch method { 1556 case "GET", "HEAD", "DELETE", "OPTIONS", "PROPFIND", "SEARCH": 1557 return true 1558 } 1559 return false 1560 } 1561 1562 // requiresHTTP1 reports whether this request requires being sent on 1563 // an HTTP/1 connection. 1564 func (r *Request) requiresHTTP1() bool { 1565 return hasToken(r.Header.Get("Connection"), "upgrade") && 1566 ascii.EqualFold(r.Header.Get("Upgrade"), "websocket") 1567 } 1568