diff options
Diffstat (limited to 'rpc/http.go')
| -rw-r--r-- | rpc/http.go | 49 |
1 files changed, 36 insertions, 13 deletions
diff --git a/rpc/http.go b/rpc/http.go index 4143e2a8d..a26559b12 100644 --- a/rpc/http.go +++ b/rpc/http.go @@ -20,9 +20,11 @@ import ( "bytes" "context" "encoding/json" + "errors" "fmt" "io" "io/ioutil" + "mime" "net" "net/http" "sync" @@ -32,6 +34,7 @@ import ( ) const ( + contentType = "application/json" maxHTTPRequestContentLength = 1024 * 128 ) @@ -64,12 +67,12 @@ func (hc *httpConn) Close() error { // DialHTTP creates a new RPC clients that connection to an RPC server over HTTP. func DialHTTP(endpoint string) (*Client, error) { - req, err := http.NewRequest("POST", endpoint, nil) + req, err := http.NewRequest(http.MethodPost, endpoint, nil) if err != nil { return nil, err } - req.Header.Set("Content-Type", "application/json") - req.Header.Set("Accept", "application/json") + req.Header.Set("Content-Type", contentType) + req.Header.Set("Accept", contentType) initctx := context.Background() return newClient(initctx, func(context.Context) (net.Conn, error) { @@ -145,22 +148,42 @@ func NewHTTPServer(cors []string, srv *Server) *http.Server { // ServeHTTP serves JSON-RPC requests over HTTP. func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { - if r.ContentLength > maxHTTPRequestContentLength { - http.Error(w, - fmt.Sprintf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength), - http.StatusRequestEntityTooLarge) + // Permit dumb empty requests for remote health-checks (AWS) + if r.Method == http.MethodGet && r.ContentLength == 0 && r.URL.RawQuery == "" { return } - w.Header().Set("content-type", "application/json") - - // create a codec that reads direct from the request body until - // EOF and writes the response to w and order the server to process - // a single request. + if code, err := validateRequest(r); err != nil { + http.Error(w, err.Error(), code) + return + } + // All checks passed, create a codec that reads direct from the request body + // untilEOF and writes the response to w and order the server to process a + // single request. codec := NewJSONCodec(&httpReadWriteNopCloser{r.Body, w}) defer codec.Close() + + w.Header().Set("content-type", contentType) srv.ServeSingleRequest(codec, OptionMethodInvocation) } +// validateRequest returns a non-zero response code and error message if the +// request is invalid. +func validateRequest(r *http.Request) (int, error) { + if r.Method == http.MethodPut || r.Method == http.MethodDelete { + return http.StatusMethodNotAllowed, errors.New("method not allowed") + } + if r.ContentLength > maxHTTPRequestContentLength { + err := fmt.Errorf("content length too large (%d>%d)", r.ContentLength, maxHTTPRequestContentLength) + return http.StatusRequestEntityTooLarge, err + } + mt, _, err := mime.ParseMediaType(r.Header.Get("content-type")) + if err != nil || mt != contentType { + err := fmt.Errorf("invalid content type, only %s is supported", contentType) + return http.StatusUnsupportedMediaType, err + } + return 0, nil +} + func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { // disable CORS support if user has not specified a custom CORS configuration if len(allowedOrigins) == 0 { @@ -169,7 +192,7 @@ func newCorsHandler(srv *Server, allowedOrigins []string) http.Handler { c := cors.New(cors.Options{ AllowedOrigins: allowedOrigins, - AllowedMethods: []string{"POST", "GET"}, + AllowedMethods: []string{http.MethodPost, http.MethodGet}, MaxAge: 600, AllowedHeaders: []string{"*"}, }) |