From 73f901f6127d8895558229c9ad621dad16066c94 Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <cleung2010@gmail.com>
Date: Tue, 21 Apr 2020 15:30:36 -0700
Subject: [PATCH] http: ensure return after writing response by respondError
 (#8796)

---
 command/agent/cache/handler.go | 1 +
 http/logical.go                | 2 ++
 http/sys_metrics.go            | 1 +
 http/sys_raft.go               | 1 +
 4 files changed, 5 insertions(+)

diff --git a/command/agent/cache/handler.go b/command/agent/cache/handler.go
index b9f935d134309..a63d32a79c493 100644
--- a/command/agent/cache/handler.go
+++ b/command/agent/cache/handler.go
@@ -40,6 +40,7 @@ func Handler(ctx context.Context, logger hclog.Logger, proxier Proxier, inmemSin
 		if err != nil {
 			logger.Error("failed to read request body")
 			logical.RespondError(w, http.StatusInternalServerError, errors.New("failed to read request body"))
+			return
 		}
 		if r.Body != nil {
 			r.Body.Close()
diff --git a/http/logical.go b/http/logical.go
index 25572a018969a..57ec03629b4c9 100644
--- a/http/logical.go
+++ b/http/logical.go
@@ -232,6 +232,7 @@ func handleLogicalRecovery(raw *vault.RawBackend, token *atomic.String) http.Han
 		reqToken := r.Header.Get(consts.AuthHeaderName)
 		if reqToken == "" || token.Load() == "" || reqToken != token.Load() {
 			respondError(w, http.StatusForbidden, nil)
+			return
 		}
 
 		resp, err := raw.HandleRequest(r.Context(), req)
@@ -379,6 +380,7 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForw
 		case strings.HasPrefix(req.Path, "sys/metrics"):
 			if isStandby, _ := core.Standby(); isStandby {
 				respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
+				return
 			}
 		}
 
diff --git a/http/sys_metrics.go b/http/sys_metrics.go
index b97786b79f6e5..0e58be3ea262d 100644
--- a/http/sys_metrics.go
+++ b/http/sys_metrics.go
@@ -17,6 +17,7 @@ func handleMetricsUnauthenticated(core *vault.Core) http.Handler {
 		case "GET":
 		default:
 			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
 		}
 
 		// Parse form
diff --git a/http/sys_raft.go b/http/sys_raft.go
index c36f87310df58..c443a11ad2ebc 100644
--- a/http/sys_raft.go
+++ b/http/sys_raft.go
@@ -33,6 +33,7 @@ func handleSysRaftJoinPost(core *vault.Core, w http.ResponseWriter, r *http.Requ
 
 	if req.NonVoter && !nonVotersAllowed {
 		respondError(w, http.StatusBadRequest, errors.New("non-voting nodes not allowed"))
+		return
 	}
 
 	var tlsConfig *tls.Config