Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Ignore case sensitivity when matching defined methods #762

Open
1 task done
glinton opened this issue Jun 12, 2024 · 3 comments
Open
1 task done

[FEATURE] Ignore case sensitivity when matching defined methods #762

glinton opened this issue Jun 12, 2024 · 3 comments

Comments

@glinton
Copy link

glinton commented Jun 12, 2024

Is there an existing feature request for this?

  • I have searched the existing feature requests

Is your feature request related to a problem? Please describe.

If a client is (mis)configured to make requests with lowercase method names, it is impossible to use gorilla/mux to match.

Describe the solution that you would like.

Case insensitive matches on methods.

Describe alternatives you have considered.

One way is to stop strings.ToUpper-ing defined methods, but that would break compatibility. Documenting the current limitation if the behavior is not changed would also go far.

Anything else?

A test case that demonstrates the condition:

func TestLowercaseMethods(t *testing.T) {
	r := mux.NewRouter()

	r.HandleFunc("/hc", func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	}).Methods("get", "GET")

	methods := []string{"get", "GET"}

	for i := range methods {
		w := httptest.NewRecorder()
		r.ServeHTTP(w, httptest.NewRequest(methods[i], "/hc", nil))
		t.Logf("Method %q: got %d", methods[i], w.Result().StatusCode)
	}
}

// Method "get": got 405
// Method "GET": got 200

Also, thanks!
@jaitaiwan
Copy link
Member

Thanks for bringing this to our attention.

This was referenced Jun 20, 2024
Closed
Closed
@hulkingshtick
Copy link

hulkingshtick commented Aug 21, 2024
edited
Loading

It is incorrect to ignore case when comparing HTTP method names because HTTP method names are case sensitive. The methods "GET" and "get" are different.

The problem is that Methods calls strings.ToUpper on the method name. The method name should be used as is.

The maintainers are in a bit of a pickle here. Removing the call to strings.ToUpper will break compatibility. Case insensitive comparison will incorrectly match method names.

OP can work around this mess by wrapping the mux with a handler that uppercases the Request.Method before invoking the mux.

func upperMethod(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		r.Method = strings.ToUpper(r.Method)
		next.ServeHTTP(w, r)
	})
}

⋮
log.Fatal(http.ListenAndServe(addr, upperMethod(mux)))
⋮

@jub0bs
Copy link

jub0bs commented Sep 4, 2024

@hulkingshtick is correct. FWIW, many CORS middleware libraries also unduly upper-case method names, which can lead to problems: gorilla/handlers#253

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@jaitaiwan @glinton @jub0bs @hulkingshtick