http3: panic in ResponseWriter.WriteHeader for invalid status codes (#3984)

* response writer: panic for invalid status code

* add tests

* readd imports

* readd imports

* fix imports

http3/response_writer.go

@@ -3,6 +3,7 @@ package http3
 import (
 	"bufio"
 	"bytes"
+	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
@@ -55,7 +56,12 @@ func (w *responseWriter) WriteHeader(status int) {
 		return
 	}
 
-	if status < 100 || status >= 200 {
+	// http status must be 3 digits
+	if status < 100 || status > 999 {
+		panic(fmt.Sprintf("invalid WriteHeader code %v", status))
+	}
+
+	if status >= 200 {
 		w.headerWritten = true
 		// Add Date header.
 		// This is what the standard library does.

http3/response_writer_test.go

@@ -178,4 +178,9 @@ var _ = Describe("Response Writer", func() {
 		Expect(n).To(Equal(0))
 		Expect(err).To(Equal(http.ErrContentLength))
 	})
+
+	It(`panics when writing invalid status`, func() {
+		Expect(func() { rw.WriteHeader(99) }).To(Panic())
+		Expect(func() { rw.WriteHeader(1000) }).To(Panic())
+	})
 })