net/http: validate Host header before sending - go - Fork of Go programming language with my patches.

diff options

author	Damien Neil <dneil@google.com>	2023-06-28 13:20:08 -0700
committer	Damien Neil <dneil@google.com>	2023-06-29 17:00:06 +0000
commit	499458f7ca04087958987a33c2703c3ef03e27e2 (patch)
tree	ba0a1dc6e81eb34d677972cb9613ff760bb93e33 /src/database/sql
parent	fe73c186eba2c849a2f2aeaca091ddb5bac3aef1 (diff)
download	go-499458f7ca04087958987a33c2703c3ef03e27e2.tar.xz

net/http: validate Host header before sending

Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Evil header to HTTP/1 requests. Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to header injection in the way HTTP/1 is, but x/net/http2 doesn't validate the header and will go into a retry loop when the server rejects it. CL 506995 adds the necessary validation to x/net/http2. For #60374 Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com>

Diffstat (limited to 'src/database/sql')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: