[bug] Panic on nil Hijack interface due to compress handler #169
Comments
|
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days. |
|
Can a project contributor shares their thoughts before this is automatically closed? I don't think an issue with no responses should be marked as stale. |
|
This doesn’t seem ideal. Are you willing to submit a PR + tests to fix? Happy to review & merge but don’t have time to push a PR for a while. |
|
Agreed, this seems weird. When I changed how CompressHandlerLevel works a bit I thought that code for checking interfaces and creating the compressResponseWriter was a bit smelly but I didn't really check it out since that's not what I was focused on changing. I can also help out with a review, or push a PR myself if needed. 👍 |
|
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days. |
|
Sorry, I'm not able to submit a PR because I don't know what the best solution is. Here is an example of what is required for proper ResponseWriter wrapping: https://github.com/aws/aws-xray-sdk-go/blob/master/xray/response_capturer.go. Since gorilla is widely used, what do you think about gorilla providing a wrapping mechanism other libraries can use to safely wrap a ResponseWriter? |
|
Since my last comment we found the "httpsnoop" package which seems like the best option to properly wrap response writers. It uses code generation to cover all the cases and handles changes across Go versions properly. We used it to fix a similar problem in opentelemetry. If that looks reasonable I can open a PR using that package. |
|
@muirdm Seems pretty straightforward - would love a PR for this. |
Wrapping http.ResponseWriter is fraught with danger. Our compress handler made sure to implement all the optional ResponseWriter interfaces, but that made it implement them even if the underlying writer did not. For example, if the underlying ResponseWriter was _not_ an http.Hijacker, the compress writer nonetheless appeared to implement http.Hijacker, but would panic if you called Hijack(). On the other hand, the logging handler checked for certain combinations of optional interfaces and only implemented them as appropriate. However, it didn't check for all optional interfaces or all combinations, so most optional interfaces would still get lost. Fix both problems by using httpsnoop to do the wrapping. It uses code generation to ensure correctness, and it handles std lib changes like the http.Pusher addition in Go 1.8. Fixes gorilla#169.
Wrapping http.ResponseWriter is fraught with danger. Our compress handler made sure to implement all the optional ResponseWriter interfaces, but that made it implement them even if the underlying writer did not. For example, if the underlying ResponseWriter was _not_ an http.Hijacker, the compress writer nonetheless appeared to implement http.Hijacker, but would panic if you called Hijack(). On the other hand, the logging handler checked for certain combinations of optional interfaces and only implemented them as appropriate. However, it didn't check for all optional interfaces or all combinations, so most optional interfaces would still get lost. Fix both problems by using httpsnoop to do the wrapping. It uses code generation to ensure correctness, and it handles std lib changes like the http.Pusher addition in Go 1.8. Fixes #169.
Describe the bug
The compress handler leaves an empty http.Hijacker interface in the wrapped response writer even when the incoming response writer does not implement http.Hijacker. This causes the wrapped response writer to still implement http.Hijacker, but if you try to call
Hijack()it will panic.Steps to Reproduce
The text was updated successfully, but these errors were encountered: