Skip to content

fix: skip duplicate HTTP status lines in ReadResponse #542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mzack9999 merged 2 commits into from
Jun 16, 2026
Merged

fix: skip duplicate HTTP status lines in ReadResponse #542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8917c17
fix: skip duplicate HTTP status lines in ReadResponse
XananasX7 Jun 16, 2026
ac0c5d1
harden parser
Mzack9999 Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,13 +124,38 @@ func (c *client) WriteRequest(req *Request) error {
return c.WriteBody(req.Body)
}

// maxDuplicateStatusLines bounds how many repeated status lines we are willing
// to discard, so a misbehaving (or malicious) server streaming "HTTP/..." lines
// indefinitely cannot keep us looping.
const maxDuplicateStatusLines = 8

// isStatusLine reports whether line looks like an HTTP status line
// (e.g. "HTTP/1.0 200 OK"). It is used to skip duplicate status lines
// emitted by some non-compliant servers.
func isStatusLine(line []byte) bool {
return bytes.HasPrefix(line, []byte("HTTP/"))
}

// ReadResponse unmarshalls a HTTP response.
func (c *client) ReadResponse(forceReadAll bool) (*Response, error) {
version, code, msg, err := c.ReadStatusLine()
var headers []Header
if err != nil {
return nil, fmt.Errorf("ReadStatusLine: %v", err)
}
// Some non-compliant servers (e.g. certain embedded devices) repeat the
// status line one or more times before the actual headers. Skip any such
// duplicate status lines so that header parsing succeeds.
for i := 0; i < maxDuplicateStatusLines; i++ {
peeked, peekErr := c.Peek(5)
if peekErr != nil || !isStatusLine(peeked) {
break
}
// Discard the entire duplicate status line (read until newline).
if _, err := c.ReadBytes('\n'); err != nil {
break
}
}
for {
var key, value string
var done bool
Expand Down
28 changes: 28 additions & 0 deletions client/reader_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package client

import (
"bufio"
"io"
"strings"
"testing"

Expand Down Expand Up @@ -65,3 +66,30 @@ func TestReadVersion(t *testing.T) {
})
}
}

// readWriterStub wraps a strings.Reader to satisfy io.ReadWriter (writes are no-ops).
type readWriterStub struct{ *strings.Reader }

func (readWriterStub) Write(p []byte) (int, error) { return len(p), nil }

func TestReadResponseDuplicateStatusLines(t *testing.T) {
// Some non-compliant embedded devices (e.g. Grandstream HT801) emit the
// HTTP status line twice before the headers. rawhttp must not error on this.
raw := "HTTP/1.0 200 OK\r\nHTTP/1.0 200 OK\r\nContent-Type: text/html\r\nContent-Length: 5\r\n\r\nhello"
c := NewClient(readWriterStub{strings.NewReader(raw)})
resp, err := c.ReadResponse(false)
require.NoError(t, err, "ReadResponse must not fail on duplicate status lines")
require.Equal(t, 200, resp.Status.Code)
body, _ := io.ReadAll(resp.Body)
require.Equal(t, "hello", string(body))
}

func TestReadResponseTripleStatusLines(t *testing.T) {
// Also handle three consecutive status lines.
raw := "HTTP/1.0 200 OK\r\nHTTP/1.0 200 OK\r\nHTTP/1.0 200 OK\r\nX-Custom: test\r\n\r\n"
c := NewClient(readWriterStub{strings.NewReader(raw)})
resp, err := c.ReadResponse(false)
require.NoError(t, err, "ReadResponse must not fail on triple status lines")
require.Equal(t, 200, resp.Status.Code)
require.Equal(t, "test", resp.Headers[0].Value)
}
Loading