1 // Copyright 2016 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package httplex contains rules around lexical matters of various
6 // HTTP-related specifications.
8 // This package is shared by the standard library (which vendors it)
9 // and x/net/http2. It comes with no API stability promise.
17 "golang.org/x/net/idna"
20 var isTokenTable = [127]bool{
100 func IsTokenRune(r rune) bool {
102 return i < len(isTokenTable) && isTokenTable[i]
105 func isNotToken(r rune) bool {
106 return !IsTokenRune(r)
109 // HeaderValuesContainsToken reports whether any string in values
110 // contains the provided token, ASCII case-insensitively.
111 func HeaderValuesContainsToken(values []string, token string) bool {
112 for _, v := range values {
113 if headerValueContainsToken(v, token) {
120 // isOWS reports whether b is an optional whitespace byte, as defined
121 // by RFC 7230 section 3.2.3.
122 func isOWS(b byte) bool { return b == ' ' || b == '\t' }
124 // trimOWS returns x with all optional whitespace removes from the
125 // beginning and end.
126 func trimOWS(x string) string {
127 // TODO: consider using strings.Trim(x, " \t") instead,
128 // if and when it's fast enough. See issue 10292.
129 // But this ASCII-only code will probably always beat UTF-8
131 for len(x) > 0 && isOWS(x[0]) {
134 for len(x) > 0 && isOWS(x[len(x)-1]) {
140 // headerValueContainsToken reports whether v (assumed to be a
141 // 0#element, in the ABNF extension described in RFC 7230 section 7)
142 // contains token amongst its comma-separated tokens, ASCII
143 // case-insensitively.
144 func headerValueContainsToken(v string, token string) bool {
146 if comma := strings.IndexByte(v, ','); comma != -1 {
147 return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
149 return tokenEqual(v, token)
152 // lowerASCII returns the ASCII lowercase version of b.
153 func lowerASCII(b byte) byte {
154 if 'A' <= b && b <= 'Z' {
155 return b + ('a' - 'A')
160 // tokenEqual reports whether t1 and t2 are equal, ASCII case-insensitively.
161 func tokenEqual(t1, t2 string) bool {
162 if len(t1) != len(t2) {
165 for i, b := range t1 {
166 if b >= utf8.RuneSelf {
167 // No UTF-8 or non-ASCII allowed in tokens.
170 if lowerASCII(byte(b)) != lowerASCII(t2[i]) {
177 // isLWS reports whether b is linear white space, according
178 // to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
179 // LWS = [CRLF] 1*( SP | HT )
180 func isLWS(b byte) bool { return b == ' ' || b == '\t' }
182 // isCTL reports whether b is a control byte, according
183 // to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
184 // CTL = <any US-ASCII control character
185 // (octets 0 - 31) and DEL (127)>
186 func isCTL(b byte) bool {
187 const del = 0x7f // a CTL
188 return b < ' ' || b == del
191 // ValidHeaderFieldName reports whether v is a valid HTTP/1.x header name.
192 // HTTP/2 imposes the additional restriction that uppercase ASCII
193 // letters are not allowed.
196 // header-field = field-name ":" OWS field-value OWS
197 // field-name = token
199 // tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
200 // "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
201 func ValidHeaderFieldName(v string) bool {
205 for _, r := range v {
213 // ValidHostHeader reports whether h is a valid host header.
214 func ValidHostHeader(h string) bool {
215 // The latest spec is actually this:
217 // http://tools.ietf.org/html/rfc7230#section-5.4
218 // Host = uri-host [ ":" port ]
220 // Where uri-host is:
221 // http://tools.ietf.org/html/rfc3986#section-3.2.2
223 // But we're going to be much more lenient for now and just
224 // search for any byte that's not a valid byte in any of those
226 for i := 0; i < len(h); i++ {
227 if !validHostByte[h[i]] {
234 // See the validHostHeader comment.
235 var validHostByte = [256]bool{
236 '0': true, '1': true, '2': true, '3': true, '4': true, '5': true, '6': true, '7': true,
237 '8': true, '9': true,
239 'a': true, 'b': true, 'c': true, 'd': true, 'e': true, 'f': true, 'g': true, 'h': true,
240 'i': true, 'j': true, 'k': true, 'l': true, 'm': true, 'n': true, 'o': true, 'p': true,
241 'q': true, 'r': true, 's': true, 't': true, 'u': true, 'v': true, 'w': true, 'x': true,
242 'y': true, 'z': true,
244 'A': true, 'B': true, 'C': true, 'D': true, 'E': true, 'F': true, 'G': true, 'H': true,
245 'I': true, 'J': true, 'K': true, 'L': true, 'M': true, 'N': true, 'O': true, 'P': true,
246 'Q': true, 'R': true, 'S': true, 'T': true, 'U': true, 'V': true, 'W': true, 'X': true,
247 'Y': true, 'Z': true,
249 '!': true, // sub-delims
250 '$': true, // sub-delims
251 '%': true, // pct-encoded (and used in IPv6 zones)
252 '&': true, // sub-delims
253 '(': true, // sub-delims
254 ')': true, // sub-delims
255 '*': true, // sub-delims
256 '+': true, // sub-delims
257 ',': true, // sub-delims
258 '-': true, // unreserved
259 '.': true, // unreserved
260 ':': true, // IPv6address + Host expression's optional port
261 ';': true, // sub-delims
262 '=': true, // sub-delims
264 '\'': true, // sub-delims
266 '_': true, // unreserved
267 '~': true, // unreserved
270 // ValidHeaderFieldValue reports whether v is a valid "field-value" according to
271 // http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 :
273 // message-header = field-name ":" [ field-value ]
274 // field-value = *( field-content | LWS )
275 // field-content = <the OCTETs making up the field-value
276 // and consisting of either *TEXT or combinations
277 // of token, separators, and quoted-string>
279 // http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 :
281 // TEXT = <any OCTET except CTLs,
282 // but including LWS>
283 // LWS = [CRLF] 1*( SP | HT )
284 // CTL = <any US-ASCII control character
285 // (octets 0 - 31) and DEL (127)>
288 // field-value = *( field-content / obs-fold )
289 // obj-fold = N/A to http2, and deprecated
290 // field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
291 // field-vchar = VCHAR / obs-text
292 // obs-text = %x80-FF
293 // VCHAR = "any visible [USASCII] character"
295 // http2 further says: "Similarly, HTTP/2 allows header field values
296 // that are not valid. While most of the values that can be encoded
297 // will not alter header field parsing, carriage return (CR, ASCII
298 // 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII
299 // 0x0) might be exploited by an attacker if they are translated
300 // verbatim. Any request or response that contains a character not
301 // permitted in a header field value MUST be treated as malformed
302 // (Section 8.1.2.6). Valid characters are defined by the
303 // field-content ABNF rule in Section 3.2 of [RFC7230]."
305 // This function does not (yet?) properly handle the rejection of
306 // strings that begin or end with SP or HTAB.
307 func ValidHeaderFieldValue(v string) bool {
308 for i := 0; i < len(v); i++ {
310 if isCTL(b) && !isLWS(b) {
317 func isASCII(s string) bool {
318 for i := 0; i < len(s); i++ {
319 if s[i] >= utf8.RuneSelf {
326 // PunycodeHostPort returns the IDNA Punycode version
327 // of the provided "host" or "host:port" string.
328 func PunycodeHostPort(v string) (string, error) {
333 host, port, err := net.SplitHostPort(v)
335 // The input 'v' argument was just a "host" argument,
336 // without a port. This error should not be returned
341 host, err = idna.ToASCII(host)
343 // Non-UTF-8? Not representable in Punycode, in any
350 return net.JoinHostPort(host, port), nil