Ouch! This is a really egregious bug in node.js. It only looks at the first letter of the HTTP method and guesses the rest.

Originally shared by James Snell

Wouldn’t it be great if folks actually took the time to properly implement specifications? Node.js, for instance, has a very strange way of handling HTTP request methods.

2 replies on “Ouch!”

  1. Found this through your comment;

    It’s not actually guessing the rest – it’s looking at the first byte and then bailing early if it knows it’s not going to be able to do anything useful. It definitely continues on to do the minimal comparisons needed to determine what the verb is. Pretty clever bit of code, but a total beast to wrap your head around.

    Keep in mind the parser code’s also ripped straight from nginx, one of the most heavily micro-optimized apps out there. ­čÖé

  2. Adrian Pike┬áTake another look at the code. It’s bailing early if it thinks it knows what the method is. For instance, “GEM” is interpreted as “GET”, “PUN” is interpreted as “PUT”. However, “POSH” is an error… and perfectly legitimate registered methods return errors. The code, as written, does not come close to even bothering to implement proper parsing of HTTP methods, gets the ones it does support wrong, and fails to properly report error conditions when they do arise (i.e. 400 or 405). That’s not clever, it’s lazy.

Comments are closed.