Merge branch 'master' into abi-offset-fixed-arrays

4 files changed, 92 insertions, 15 deletions

diff --git a/rpc/http.go b/rpc/http.go
index 4143e2a8d..a26559b12 100644
--- a/rpc/http.go
+++ b/rpc/http.go
@@ -20,9 +20,11 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"mime"
 	"net"
 	"net/http"
 	"sync"
@@ -32,6 +34,7 @@ import (
 )
 
 const (
+	contentType                 = "application/json"
 	maxHTTPRequestContentLength = 1024 * 128
 )
 
@@ -64,12 +67,12 @@ func (hc *httpConn) Close() error {
 
 // DialHTTP creates a new RPC clients that connection to an RPC server over HTTP.
 func DialHTTP(endpoint string) (*Client, error) {
-	req, err := http.NewRequest("POST", endpoint, nil)
+	req, err := http.NewRequest(http.MethodPost, endpoint, nil)
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", contentType)
+	req.Header.Set("Accept", contentType)
 
 	initctx := context.Background()
 	return newClient(initctx, func(context.Context) (net.Conn, error) {
@@ -145,22 +148,42 @@ func NewHTTPServer(cors []string, srv *Server) *http.Server {
 
 // ServeHTTP serves JSON-RPC requests over HTTP.
 func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.ContentLength > maxHTTPRequestContentLength {
-		http.Error(w,
-			fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength),
-			http.StatusRequestEntityTooLarge)
+	// Permit dumb empty requests for remote health-checks (AWS)
+	if r.Method == http.MethodGet && r.ContentLength == 0 && r.URL.RawQuery == "" {
 		return
 	}
-	w.Header().Set("content-type", "application/json")
-
-	// create a codec that reads direct from the request body until
-	// EOF and writes the response to w and order the server to process
-	// a single request.
+	if code, err := validateRequest(r); err != nil {
+		http.Error(w, err.Error(), code)
+		return
+	}
+	// All checks passed, create a codec that reads direct from the request body
+	// untilEOF and writes the response to w and order the server to process a
+	// single request.
 	codec := NewJSONCodec(&httpReadWriteNopCloser{r.Body, w})
 	defer codec.Close()
+
+	w.Header().Set("content-type", contentType)
 	srv.ServeSingleRequest(codec, OptionMethodInvocation)
 }
 
+// validateRequest returns a non-zero response code and error message if the
+// request is invalid.
+func validateRequest(r *http.Request) (int, error) {
+	if r.Method == http.MethodPut || r.Method == http.MethodDelete {
+		return http.StatusMethodNotAllowed, errors.New("method not allowed")
+	}
+	if r.ContentLength > maxHTTPRequestContentLength {
+		err := fmt.Errorf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength)
+		return http.StatusRequestEntityTooLarge, err
+	}
+	mt, _, err := mime.ParseMediaType(r.Header.Get("content-type"))
+	if err != nil || mt != contentType {
+		err := fmt.Errorf("invalid content type, only %s is supported", contentType)
+		return http.StatusUnsupportedMediaType, err
+	}
+	return 0, nil
+}
+
 func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler {
 	// disable CORS support if user has not specified a custom CORS configuration
 	if len(allowedOrigins) == 0 {
@@ -169,7 +192,7 @@ func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler {
 
 	c := cors.New(cors.Options{
 		AllowedOrigins: allowedOrigins,
-		AllowedMethods: []string{"POST", "GET"},
+		AllowedMethods: []string{http.MethodPost, http.MethodGet},
 		MaxAge:         600,
 		AllowedHeaders: []string{"*"},
 	})
diff --git a/rpc/http_test.go b/rpc/http_test.go
new file mode 100644
index 000000000..aed84f683
--- /dev/null
+++ b/rpc/http_test.go
@@ -0,0 +1,54 @@
+// Copyright 2017 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package rpc
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestHTTPErrorResponseWithDelete(t *testing.T) {
+	testHTTPErrorResponse(t, http.MethodDelete, contentType, "", http.StatusMethodNotAllowed)
+}
+
+func TestHTTPErrorResponseWithPut(t *testing.T) {
+	testHTTPErrorResponse(t, http.MethodPut, contentType, "", http.StatusMethodNotAllowed)
+}
+
+func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) {
+	body := make([]rune, maxHTTPRequestContentLength+1)
+	testHTTPErrorResponse(t,
+		http.MethodPost, contentType, string(body), http.StatusRequestEntityTooLarge)
+}
+
+func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) {
+	testHTTPErrorResponse(t, http.MethodPost, "", "", http.StatusUnsupportedMediaType)
+}
+
+func TestHTTPErrorResponseWithValidRequest(t *testing.T) {
+	testHTTPErrorResponse(t, http.MethodPost, contentType, "", 0)
+}
+
+func testHTTPErrorResponse(t *testing.T, method, contentType, body string, expected int) {
+	request := httptest.NewRequest(method, "http://url.com", strings.NewReader(body))
+	request.Header.Set("content-type", contentType)
+	if code, _ := validateRequest(request); code != expected {
+		t.Fatalf("response code should be %d not %d", expected, code)
+	}
+}
diff --git a/rpc/subscription_test.go b/rpc/subscription_test.go
index 39f759692..0ba177e63 100644
--- a/rpc/subscription_test.go
+++ b/rpc/subscription_test.go
@@ -290,7 +290,7 @@ func TestSubscriptionMultipleNamespaces(t *testing.T) {
 
 	for {
 		done := true
-		for id, _ := range count {
+		for id := range count {
 			if count, found := count[id]; !found || count < (2*n) {
 				done = false
 			}
diff --git a/rpc/websocket.go b/rpc/websocket.go
index 5f9593a43..4214fc86a 100644
--- a/rpc/websocket.go
+++ b/rpc/websocket.go
@@ -83,7 +83,7 @@ func wsHandshakeValidator(allowedOrigins []string) func(*websocket.Config, *http
 		if allowAllOrigins || origins.Has(origin) {
 			return nil
 		}
-		log.Debug(fmt.Sprintf("origin '%s' not allowed on WS-RPC interface\n", origin))
+		log.Warn(fmt.Sprintf("origin '%s' not allowed on WS-RPC interface\n", origin))
 		return fmt.Errorf("origin %s not allowed", origin)
 	}