From c5b8569707cabe19f861cb67062c07598aff2aa1 Mon Sep 17 00:00:00 2001
From: Armani Ferrante <armaniferrante@berkeley.edu>
Date: Fri, 17 Nov 2017 04:07:11 -0800
Subject: rpc: disallow PUT and DELETE on HTTP (#15501)

Fixes #15493
---
 rpc/http_test.go | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 rpc/http_test.go

(limited to 'rpc/http_test.go')

diff --git a/rpc/http_test.go b/rpc/http_test.go
new file mode 100644
index 000000000..f4afd5216
--- /dev/null
+++ b/rpc/http_test.go
@@ -0,0 +1,40 @@
+package rpc
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestHTTPErrorResponseWithDelete(t *testing.T) {
+	httpErrorResponseTest(t, "DELETE", contentType, "", http.StatusMethodNotAllowed)
+}
+
+func TestHTTPErrorResponseWithPut(t *testing.T) {
+	httpErrorResponseTest(t, "PUT", contentType, "", http.StatusMethodNotAllowed)
+}
+
+func TestHTTPErrorResponseWithMaxContentLength(t *testing.T) {
+	body := make([]rune, maxHTTPRequestContentLength+1, maxHTTPRequestContentLength+1)
+	httpErrorResponseTest(t,
+		"POST", contentType, string(body), http.StatusRequestEntityTooLarge)
+}
+
+func TestHTTPErrorResponseWithEmptyContentType(t *testing.T) {
+	httpErrorResponseTest(t, "POST", "", "", http.StatusUnsupportedMediaType)
+}
+
+func TestHTTPErrorResponseWithValidRequest(t *testing.T) {
+	httpErrorResponseTest(t, "POST", contentType, "", 0)
+}
+
+func httpErrorResponseTest(t *testing.T,
+	method, contentType, body string, expectedResponse int) {
+
+	request := httptest.NewRequest(method, "http://url.com", strings.NewReader(body))
+	request.Header.Set("content-type", contentType)
+	if response, _ := httpErrorResponse(request); response != expectedResponse {
+		t.Fatalf("response code should be %d not %d", expectedResponse, response)
+	}
+}
-- 
cgit v1.2.3