From acb189ea59d7f47e5db075e502dcce5eac6571dc Mon Sep 17 00:00:00 2001 From: ian woolf Date: Mon, 12 Apr 2021 17:19:03 +0800 Subject: net/http: make ReadRequest return an error when requests have multiple Host headers Fixes #45513 Change-Id: I59e717a4bbd3e71320deff519e4f9587ee5c8756 Reviewed-on: https://go-review.googlesource.com/c/go/+/308952 Trust: Damien Neil Reviewed-by: Brad Fitzpatrick --- src/net/http/request.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'src/net/http/request.go') diff --git a/src/net/http/request.go b/src/net/http/request.go index ff21f19942..4a07eb1c79 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -1010,16 +1010,16 @@ func putTextprotoReader(r *textproto.Reader) { // requests and handle them via the Handler interface. ReadRequest // only supports HTTP/1.x requests. For HTTP/2, use golang.org/x/net/http2. func ReadRequest(b *bufio.Reader) (*Request, error) { - return readRequest(b, deleteHostHeader) -} + req, err := readRequest(b) + if err != nil { + return nil, err + } -// Constants for readRequest's deleteHostHeader parameter. -const ( - deleteHostHeader = true - keepHostHeader = false -) + delete(req.Header, "Host") + return req, err +} -func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err error) { +func readRequest(b *bufio.Reader) (req *Request, err error) { tp := newTextprotoReader(b) req = new(Request) @@ -1077,6 +1077,9 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro return nil, err } req.Header = Header(mimeHeader) + if len(req.Header["Host"]) > 1 { + return nil, fmt.Errorf("too many Host headers") + } // RFC 7230, section 5.3: Must treat // GET /index.html HTTP/1.1 @@ -1089,9 +1092,6 @@ func readRequest(b *bufio.Reader, deleteHostHeader bool) (req *Request, err erro if req.Host == "" { req.Host = req.Header.get("Host") } - if deleteHostHeader { - delete(req.Header, "Host") - } fixPragmaCacheControl(req.Header) -- cgit v1.3-5-g9baa