diff options
| author | Damien Neil <dneil@google.com> | 2023-06-28 13:20:08 -0700 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2023-06-29 17:00:06 +0000 |
| commit | 499458f7ca04087958987a33c2703c3ef03e27e2 (patch) | |
| tree | ba0a1dc6e81eb34d677972cb9613ff760bb93e33 /src/net/http/request_test.go | |
| parent | fe73c186eba2c849a2f2aeaca091ddb5bac3aef1 (diff) | |
| download | go-499458f7ca04087958987a33c2703c3ef03e27e2.tar.xz | |
net/http: validate Host header before sending
Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.
Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.
For #60374
Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Diffstat (limited to 'src/net/http/request_test.go')
| -rw-r--r-- | src/net/http/request_test.go | 11 |
1 files changed, 2 insertions, 9 deletions
diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go index 78b968f23c..0892bc255f 100644 --- a/src/net/http/request_test.go +++ b/src/net/http/request_test.go @@ -775,15 +775,8 @@ func TestRequestBadHost(t *testing.T) { } req.Host = "foo.com with spaces" req.URL.Host = "foo.com with spaces" - req.Write(logWrites{t, &got}) - want := []string{ - "GET /after HTTP/1.1\r\n", - "Host: foo.com\r\n", - "User-Agent: " + DefaultUserAgent + "\r\n", - "\r\n", - } - if !reflect.DeepEqual(got, want) { - t.Errorf("Writes = %q\n Want = %q", got, want) + if err := req.Write(logWrites{t, &got}); err == nil { + t.Errorf("Writing request with invalid Host: succeded, want error") } } |