github.com/mdaxf/iac@v0.0.0-20240519030858-58a061660378/vendor_skip/golang.org/x/net/http/httpguts/httplex.go (about)

     1  // Copyright 2016 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package httpguts
     6  
     7  import (
     8  	"net"
     9  	"strings"
    10  	"unicode/utf8"
    11  
    12  	"golang.org/x/net/idna"
    13  )
    14  
    15  var isTokenTable = [127]bool{
    16  	'!':  true,
    17  	'#':  true,
    18  	'$':  true,
    19  	'%':  true,
    20  	'&':  true,
    21  	'\'': true,
    22  	'*':  true,
    23  	'+':  true,
    24  	'-':  true,
    25  	'.':  true,
    26  	'0':  true,
    27  	'1':  true,
    28  	'2':  true,
    29  	'3':  true,
    30  	'4':  true,
    31  	'5':  true,
    32  	'6':  true,
    33  	'7':  true,
    34  	'8':  true,
    35  	'9':  true,
    36  	'A':  true,
    37  	'B':  true,
    38  	'C':  true,
    39  	'D':  true,
    40  	'E':  true,
    41  	'F':  true,
    42  	'G':  true,
    43  	'H':  true,
    44  	'I':  true,
    45  	'J':  true,
    46  	'K':  true,
    47  	'L':  true,
    48  	'M':  true,
    49  	'N':  true,
    50  	'O':  true,
    51  	'P':  true,
    52  	'Q':  true,
    53  	'R':  true,
    54  	'S':  true,
    55  	'T':  true,
    56  	'U':  true,
    57  	'W':  true,
    58  	'V':  true,
    59  	'X':  true,
    60  	'Y':  true,
    61  	'Z':  true,
    62  	'^':  true,
    63  	'_':  true,
    64  	'`':  true,
    65  	'a':  true,
    66  	'b':  true,
    67  	'c':  true,
    68  	'd':  true,
    69  	'e':  true,
    70  	'f':  true,
    71  	'g':  true,
    72  	'h':  true,
    73  	'i':  true,
    74  	'j':  true,
    75  	'k':  true,
    76  	'l':  true,
    77  	'm':  true,
    78  	'n':  true,
    79  	'o':  true,
    80  	'p':  true,
    81  	'q':  true,
    82  	'r':  true,
    83  	's':  true,
    84  	't':  true,
    85  	'u':  true,
    86  	'v':  true,
    87  	'w':  true,
    88  	'x':  true,
    89  	'y':  true,
    90  	'z':  true,
    91  	'|':  true,
    92  	'~':  true,
    93  }
    94  
    95  func IsTokenRune(r rune) bool {
    96  	i := int(r)
    97  	return i < len(isTokenTable) && isTokenTable[i]
    98  }
    99  
   100  func isNotToken(r rune) bool {
   101  	return !IsTokenRune(r)
   102  }
   103  
   104  // HeaderValuesContainsToken reports whether any string in values
   105  // contains the provided token, ASCII case-insensitively.
   106  func HeaderValuesContainsToken(values []string, token string) bool {
   107  	for _, v := range values {
   108  		if headerValueContainsToken(v, token) {
   109  			return true
   110  		}
   111  	}
   112  	return false
   113  }
   114  
   115  // isOWS reports whether b is an optional whitespace byte, as defined
   116  // by RFC 7230 section 3.2.3.
   117  func isOWS(b byte) bool { return b == ' ' || b == '\t' }
   118  
   119  // trimOWS returns x with all optional whitespace removes from the
   120  // beginning and end.
   121  func trimOWS(x string) string {
   122  	// TODO: consider using strings.Trim(x, " \t") instead,
   123  	// if and when it's fast enough. See issue 10292.
   124  	// But this ASCII-only code will probably always beat UTF-8
   125  	// aware code.
   126  	for len(x) > 0 && isOWS(x[0]) {
   127  		x = x[1:]
   128  	}
   129  	for len(x) > 0 && isOWS(x[len(x)-1]) {
   130  		x = x[:len(x)-1]
   131  	}
   132  	return x
   133  }
   134  
   135  // headerValueContainsToken reports whether v (assumed to be a
   136  // 0#element, in the ABNF extension described in RFC 7230 section 7)
   137  // contains token amongst its comma-separated tokens, ASCII
   138  // case-insensitively.
   139  func headerValueContainsToken(v string, token string) bool {
   140  	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
   141  		if tokenEqual(trimOWS(v[:comma]), token) {
   142  			return true
   143  		}
   144  		v = v[comma+1:]
   145  	}
   146  	return tokenEqual(trimOWS(v), token)
   147  }
   148  
   149  // lowerASCII returns the ASCII lowercase version of b.
   150  func lowerASCII(b byte) byte {
   151  	if 'A' <= b && b <= 'Z' {
   152  		return b + ('a' - 'A')
   153  	}
   154  	return b
   155  }
   156  
   157  // tokenEqual reports whether t1 and t2 are equal, ASCII case-insensitively.
   158  func tokenEqual(t1, t2 string) bool {
   159  	if len(t1) != len(t2) {
   160  		return false
   161  	}
   162  	for i, b := range t1 {
   163  		if b >= utf8.RuneSelf {
   164  			// No UTF-8 or non-ASCII allowed in tokens.
   165  			return false
   166  		}
   167  		if lowerASCII(byte(b)) != lowerASCII(t2[i]) {
   168  			return false
   169  		}
   170  	}
   171  	return true
   172  }
   173  
   174  // isLWS reports whether b is linear white space, according
   175  // to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
   176  //
   177  //	LWS            = [CRLF] 1*( SP | HT )
   178  func isLWS(b byte) bool { return b == ' ' || b == '\t' }
   179  
   180  // isCTL reports whether b is a control byte, according
   181  // to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
   182  //
   183  //	CTL            = <any US-ASCII control character
   184  //	                 (octets 0 - 31) and DEL (127)>
   185  func isCTL(b byte) bool {
   186  	const del = 0x7f // a CTL
   187  	return b < ' ' || b == del
   188  }
   189  
   190  // ValidHeaderFieldName reports whether v is a valid HTTP/1.x header name.
   191  // HTTP/2 imposes the additional restriction that uppercase ASCII
   192  // letters are not allowed.
   193  //
   194  // RFC 7230 says:
   195  //
   196  //	header-field   = field-name ":" OWS field-value OWS
   197  //	field-name     = token
   198  //	token          = 1*tchar
   199  //	tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
   200  //	        "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
   201  func ValidHeaderFieldName(v string) bool {
   202  	if len(v) == 0 {
   203  		return false
   204  	}
   205  	for _, r := range v {
   206  		if !IsTokenRune(r) {
   207  			return false
   208  		}
   209  	}
   210  	return true
   211  }
   212  
   213  // ValidHostHeader reports whether h is a valid host header.
   214  func ValidHostHeader(h string) bool {
   215  	// The latest spec is actually this:
   216  	//
   217  	// http://tools.ietf.org/html/rfc7230#section-5.4
   218  	//     Host = uri-host [ ":" port ]
   219  	//
   220  	// Where uri-host is:
   221  	//     http://tools.ietf.org/html/rfc3986#section-3.2.2
   222  	//
   223  	// But we're going to be much more lenient for now and just
   224  	// search for any byte that's not a valid byte in any of those
   225  	// expressions.
   226  	for i := 0; i < len(h); i++ {
   227  		if !validHostByte[h[i]] {
   228  			return false
   229  		}
   230  	}
   231  	return true
   232  }
   233  
   234  // See the validHostHeader comment.
   235  var validHostByte = [256]bool{
   236  	'0': true, '1': true, '2': true, '3': true, '4': true, '5': true, '6': true, '7': true,
   237  	'8': true, '9': true,
   238  
   239  	'a': true, 'b': true, 'c': true, 'd': true, 'e': true, 'f': true, 'g': true, 'h': true,
   240  	'i': true, 'j': true, 'k': true, 'l': true, 'm': true, 'n': true, 'o': true, 'p': true,
   241  	'q': true, 'r': true, 's': true, 't': true, 'u': true, 'v': true, 'w': true, 'x': true,
   242  	'y': true, 'z': true,
   243  
   244  	'A': true, 'B': true, 'C': true, 'D': true, 'E': true, 'F': true, 'G': true, 'H': true,
   245  	'I': true, 'J': true, 'K': true, 'L': true, 'M': true, 'N': true, 'O': true, 'P': true,
   246  	'Q': true, 'R': true, 'S': true, 'T': true, 'U': true, 'V': true, 'W': true, 'X': true,
   247  	'Y': true, 'Z': true,
   248  
   249  	'!':  true, // sub-delims
   250  	'$':  true, // sub-delims
   251  	'%':  true, // pct-encoded (and used in IPv6 zones)
   252  	'&':  true, // sub-delims
   253  	'(':  true, // sub-delims
   254  	')':  true, // sub-delims
   255  	'*':  true, // sub-delims
   256  	'+':  true, // sub-delims
   257  	',':  true, // sub-delims
   258  	'-':  true, // unreserved
   259  	'.':  true, // unreserved
   260  	':':  true, // IPv6address + Host expression's optional port
   261  	';':  true, // sub-delims
   262  	'=':  true, // sub-delims
   263  	'[':  true,
   264  	'\'': true, // sub-delims
   265  	']':  true,
   266  	'_':  true, // unreserved
   267  	'~':  true, // unreserved
   268  }
   269  
   270  // ValidHeaderFieldValue reports whether v is a valid "field-value" according to
   271  // http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 :
   272  //
   273  //	message-header = field-name ":" [ field-value ]
   274  //	field-value    = *( field-content | LWS )
   275  //	field-content  = <the OCTETs making up the field-value
   276  //	                 and consisting of either *TEXT or combinations
   277  //	                 of token, separators, and quoted-string>
   278  //
   279  // http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 :
   280  //
   281  //	TEXT           = <any OCTET except CTLs,
   282  //	                  but including LWS>
   283  //	LWS            = [CRLF] 1*( SP | HT )
   284  //	CTL            = <any US-ASCII control character
   285  //	                 (octets 0 - 31) and DEL (127)>
   286  //
   287  // RFC 7230 says:
   288  //
   289  //	field-value    = *( field-content / obs-fold )
   290  //	obj-fold       =  N/A to http2, and deprecated
   291  //	field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
   292  //	field-vchar    = VCHAR / obs-text
   293  //	obs-text       = %x80-FF
   294  //	VCHAR          = "any visible [USASCII] character"
   295  //
   296  // http2 further says: "Similarly, HTTP/2 allows header field values
   297  // that are not valid. While most of the values that can be encoded
   298  // will not alter header field parsing, carriage return (CR, ASCII
   299  // 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII
   300  // 0x0) might be exploited by an attacker if they are translated
   301  // verbatim. Any request or response that contains a character not
   302  // permitted in a header field value MUST be treated as malformed
   303  // (Section 8.1.2.6). Valid characters are defined by the
   304  // field-content ABNF rule in Section 3.2 of [RFC7230]."
   305  //
   306  // This function does not (yet?) properly handle the rejection of
   307  // strings that begin or end with SP or HTAB.
   308  func ValidHeaderFieldValue(v string) bool {
   309  	for i := 0; i < len(v); i++ {
   310  		b := v[i]
   311  		if isCTL(b) && !isLWS(b) {
   312  			return false
   313  		}
   314  	}
   315  	return true
   316  }
   317  
   318  func isASCII(s string) bool {
   319  	for i := 0; i < len(s); i++ {
   320  		if s[i] >= utf8.RuneSelf {
   321  			return false
   322  		}
   323  	}
   324  	return true
   325  }
   326  
   327  // PunycodeHostPort returns the IDNA Punycode version
   328  // of the provided "host" or "host:port" string.
   329  func PunycodeHostPort(v string) (string, error) {
   330  	if isASCII(v) {
   331  		return v, nil
   332  	}
   333  
   334  	host, port, err := net.SplitHostPort(v)
   335  	if err != nil {
   336  		// The input 'v' argument was just a "host" argument,
   337  		// without a port. This error should not be returned
   338  		// to the caller.
   339  		host = v
   340  		port = ""
   341  	}
   342  	host, err = idna.ToASCII(host)
   343  	if err != nil {
   344  		// Non-UTF-8? Not representable in Punycode, in any
   345  		// case.
   346  		return "", err
   347  	}
   348  	if port == "" {
   349  		return host, nil
   350  	}
   351  	return net.JoinHostPort(host, port), nil
   352  }