From b9153f6ef338baee5fe02a867c8fbc83a8b29dd1 Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Wed, 19 Jul 2023 10:30:46 -0700 Subject: net/http: permit requests with invalid Host headers Historically, the Transport has silently truncated invalid Host headers at the first '/' or ' ' character. CL 506996 changed this behavior to reject invalid Host headers entirely. Unfortunately, Docker appears to rely on the previous behavior. When sending a HTTP/1 request with an invalid Host, send an empty Host header. This is safer than truncation: If you care about the Host, then you should get the one you set; if you don't care, then an empty Host should be fine. Continue to fully validate Host headers sent to a proxy, since proxies generally can't productively forward requests without a Host. For #60374 Fixes #61431 Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6 Reviewed-on: https://go-review.googlesource.com/c/go/+/511155 TryBot-Result: Gopher Robot Reviewed-by: Roland Shoemaker Run-TryBot: Damien Neil --- src/net/http/request_test.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'src/net/http/request_test.go') diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go index 0892bc255f..a32b583c11 100644 --- a/src/net/http/request_test.go +++ b/src/net/http/request_test.go @@ -767,16 +767,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) { } } -func TestRequestBadHost(t *testing.T) { +func TestRequestBadHostHeader(t *testing.T) { got := []string{} req, err := NewRequest("GET", "http://foo/after", nil) if err != nil { t.Fatal(err) } - req.Host = "foo.com with spaces" - req.URL.Host = "foo.com with spaces" - if err := req.Write(logWrites{t, &got}); err == nil { - t.Errorf("Writing request with invalid Host: succeded, want error") + req.Host = "foo.com\nnewline" + req.URL.Host = "foo.com\nnewline" + req.Write(logWrites{t, &got}) + want := []string{ + "GET /after HTTP/1.1\r\n", + "Host: \r\n", + "User-Agent: " + DefaultUserAgent + "\r\n", + "\r\n", + } + if !reflect.DeepEqual(got, want) { + t.Errorf("Writes = %q\n Want = %q", got, want) } } -- cgit v1.3-6-g1900